search

gruntwork-io / terragrunt

Terragrunt is a flexible orchestration tool that allows Infrastructure as Code written in OpenTofu/Terraform to scale.
https://terragrunt.gruntwork.io/
MIT License
7.93k stars 965 forks source link

Some Terraform errors are not displayed when running `terragrunt plan` #3382

Open HenriBlacksmith opened 1 week ago

HenriBlacksmith commented 1 week ago

Describe the bug

When running terragrunt plan and having authentication errors, the errors returned by Terraform are not displayed in Terragrunt output.

Steps To Reproduce

I used the following piece of code to compare Terragrunt and Terraform errors with my code:

terragrunt plan --terragrunt-log-level debug --terragrunt-debug || true
cd ${TERRAGRUNT_WORKING_DIR}/.terragrunt-cache
cd $(ls -d ./* | head -n 1)
cd $(ls -d ./* | head -n 1)
terraform plan

Terragrunt output:

11:06:25.132 STDOUT terraform: Planning failed. Terraform encountered an error while generating this plan.
11:06:25.132 STDOUT terraform: 
11:06:25.249 ERROR  terraform invocation failed in {REDACTED}/.terragrunt-cache/{REDACTED} error=[/builds/{REDACTED}/.terragrunt-cache/{REDACTED}] exit status 1
11:06:25.250 ERROR  1 error occurred:
    * [{REDACTED}/.terragrunt-cache/{REDACTED}] exit status 1

Terraform output:

Planning failed. Terraform encountered an error while generating this plan.
╷
│ Error: building client: unable to obtain access token: clientCredentialsToken: received HTTP status 401 with response: {"error":"invalid_client","error_description":"AADSTS700213: No matching federated identity record found for presented assertion subject 'project_path:{REDACTED}'. Please note that the matching is done using a case-sensitive comparison. Check your federated identity credential Subject, Audience and Issuer against the presented assertion. https://learn.microsoft.com/entra/workload-id/workload-identity-federation {REDACTED}}
│ 
│   with provider["registry.terraform.io/hashicorp/azuread"],
│   on providers.tf line 1, in provider "azuread":
│    1: provider "azuread" {
│ 
╵
╷
│ Error: building account: could not acquire access token to parse claims: clientCredentialsToken: received HTTP status 401 with response: {"error":"invalid_client","error_description":"AADSTS700213: No matching federated identity record found for presented assertion subject 'project_path:{REDACTED}'. Please note that the matching is done using a case-sensitive comparison. Check your federated identity credential Subject, Audience and Issuer against the presented assertion. https://learn.microsoft.com/entra/workload-id/workload-identity-federation {REDACTED}"}
│ 
│   with provider["registry.terraform.io/hashicorp/azurerm"],
│   on providers.tf line 5, in provider "azurerm":
│    5: provider "azurerm" {
│ 
╵

Expected behavior

The full Terraform output must be present in Terragrunt output

Nice to haves

Versions

Additional context

Add any other context about the problem here.

acaban-nuharbor commented 1 week ago

+1

Was just about to open this bug myself. Can only see the terraform form after manually copy-pasting the terraform command from terragrunt's debug output terraform -chdir="..." apply -auto-approve -input=false -var-file="..."

In my case the error was a error in the .tf file.

HenriBlacksmith commented 1 week ago

A quick update, it looks to be specific to some errors (maybe it is due to the format or it is because is is an error happening during provider authentication)

ohmer commented 1 week ago

Looks like a duplicate of #3376.

HenriBlacksmith commented 1 week ago

Looks like a duplicate of #3376.

Looks similar yes, I do not have the broken pipe message (I also saw it in other cases) but the other issue also covers this case.