search

cloudfoundry / terraform-provider-cloudfoundry

Terraform provider to manage Cloud Foundry resources using v3 APIs
https://registry.terraform.io/providers/cloudfoundry/cloudfoundry/latest
Apache License 2.0
7 stars 3 forks source link

[BUG] "invalid_token" after switch to official Cloud Foundry provider #48

Open olfolfolf opened 3 weeks ago

olfolfolf commented 3 weeks ago

Is there an existing issue for this?

What version of the Terraform provider are you using?

1.0.0-rc1

What version of the Terraform CLI are you using?

1.9.8

What CF API version are you using?

3.178.0

What type of issue are you facing

regression (a behavior that used to work and stopped in a new version)

Describe the bug

As you wrote in README, the SAP provider is deprecated and we should switch official Cloud Foundry provider.

My old code is

required_providers {
    cloudfoundry = {
      source  = "SAP/cloudfoundry"
      version = "1.0.0-rc1"
    }
  }

I changed it to

  required_providers {
    cloudfoundry = {
      source  = "cloudfoundry/cloudfoundry"
      version = "1.0.0"
    }
  }

Now I get the following error for ressource cloudfoundry_org_role, when running terraform plan (terraform init -upgrade was run before):

│ error executing GET request for /v3/roles/766e2f43-xxxx-xxxx-xxxx-99d84b617b9b: error executing request, failed
│ during HTTP request send: Get
│ "https://api.cf.eu10-004.hana.ondemand.com/v3/roles/766e2f43-xxxx-xxxx-xxxx-99d84b617b9b": oauth2: "invalid_token"
│ "The token expired, was revoked, or the token ID is incorrect."

My provider config looks like this:

provider "cloudfoundry" {
  api_url  = "https://api.cf.eu10-004.hana.ondemand.com/"
  user     = var.aa_btp_username
  password = var.ab_btp_password
}

When I switch back to provider SAP/cloudfoundry, the error is gone.

Dray56 commented 3 weeks ago

Hi @olfolfolf ,

We tried to replicate your scenario and we did not encounter the error message which you observed. We created a valid org role with the sap/cloudfoundry provider and then switched to the cloudfoundry/cloudfoundry provider (with terraform init -upgrade command). We then tried 2 scenarios: 1) We then tried running terraform plan. It was able to successfully read the status from the API and match against the state successfully. 2) We also tried to create a second org role after the upgrade and this also worked without errors.

Can you please describe the setup/script you are using here and how you are upgrading? Is this on a pipeline or your laptop?

The error message you encountered occurs when you try to authenticate via a token or the provider picks the credentials used by CF-CLI from config.json. CF-CLI credentials is picked when an empty provider block is present in the script. Therefore our guess is that when trying to run the script with the new provider, somehow an empty provider block was provided, due to which the CF-CLI credentials were picked and not being logged in via CF-CLI would have caused the message to appear.