[Bug]: AWS provider requires default AWS profile config defined even when passed a specific profile to use during Terraform Plan

[Gumdro]

Terraform Core Version

1.3.3

AWS Provider Version

4.39.0

Affected Resource(s)

provider aws

Expected Behavior

Running terraform init in CLI passing in tfvars that has my backend file settings completes module downloads and credential validation with the profile located in the .hcl file that had its path passed in the tfvars file.

When running terraform plan in cli while passing in the path for the same backend file with the same profile set. I expect the terraform plan to use the provided profile in .hcl for the entire plan.

Actual Behavior

terraform init with providers pass credential check

terraform plan is run passing in the .hcl with the same profile used in init. Three errors occur.

After creating a default profile in my .aws/config where my other profiles are listed, using the same profile config as the one I am passing in as a variable to use. The same terraform plan command is run and completed successfully.

Relevant Error/Panic Output Snippet

│ Error: Invalid provider configuration
│
│ Provider "registry.terraform.io/hashicorp/aws" requires explicit configuration. Add a provider block to the root module and configure
│ the provider's required arguments as described in the provider documentation.
│
╵
╷
│ Error: error configuring Terraform AWS Provider: no valid credential sources for Terraform AWS Provider found.
│
│ Please see https://registry.terraform.io/providers/hashicorp/aws
│ for more information about providing credentials.
│
│ Error: failed to refresh cached credentials, no EC2 IMDS role found, operation error ec2imds: GetMetadata, request send failed, Get "http://169.254.169.254/latest/meta-data/iam/security-credentials/": dial tcp 169.254.169.254:80: connectex: A socket operation was attempted to an unreachable network.
│
│
│   with provider["registry.terraform.io/hashicorp/aws"],
│   on <empty> line 0:
│   (source code not available)
│
╵
Releasing state lock. This may take a few moments...

Terraform Configuration Files

contents of the .tfvars file used in my terraform init command:

environment = "dev" color = "blue" backend_file = "backends/dev.hcl"

contents of the .hcl file used in my terraform plan command:

bucket = "tfstate-primary-dev" key = "teams.tfstate" region = "us-east-2" profile = "dev"

Steps to Reproduce

terraform init -backend-config "backends/dev.hcl"

terraform plan -var-file "variables/dev.tfvars"

Debug Output

No response

Panic Output

No response

Important Factoids

The same steps work in reverse removing the default profile and applying the same commands will result in the same errors provided. I have not tested to see if the same behavior occurs when using terraform apply.

References

No response

Would you like to implement a fix?

No response

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[Gumdro]

After doing some further testing this bug gets more egregious as having to swap through multiple aws profiles becomes an issue. I manually have to edit my default profile account id every time I change my logged in aws profile even after doing a terraform init with the -reconfigure flag.

Apply also suffers this same issue of only reading a default profile.

[gdavison]

Thanks for submitting this, @Gumdro.

The first error usually occurs when providers are configured with an alias, but there is a resource or data source which doesn't include a provider referencing it. For example:

provider "aws" {
  alias = "example"
 ...
}

data "aws_partition" "current" {} # This will fail

data "aws_caller_identity" "current" { # This will succeed
  provider = aws.example
}

The next error says that authentication is not configured for the provider. Can you please include the configuration that you're using?