GNSunny
commented
4 years ago Does anybody have a solution to work around this problem?
Open GNSunny opened 4 years ago
GNSunny
commented
4 years ago Does anybody have a solution to work around this problem?
danieldreier
commented
4 years ago Hi! Thanks for reporting this. I'd like to reproduce it locally.
To do that, I have to be able to run this and run it on my workstation without inventing any details in order to be confident we're seeing the same behavior. As-is, there are parts of this omitted - variables, modules, and so I can't copy-paste this.
Can you please restate your reproduction case such that I can copy-paste it (or git clone it) and run it locally? Ideally, this would use the null resource provider rather than a real provider in order to minimize external dependencies but in this particular case I am happy to work with you to try and reproduce it with the AWS provider.
GNSunny
commented
4 years ago @danieldreier thanks for getting back to my issue, I have edited my previous comment above, with variables and few other things for you to understand better, this is in the production and we use for clients and I am unsure of how I can provide this information to make it work on your workstation. I can dispense additional modules(information) if that helps.
mildwonkey
commented
4 years ago @sunnynehar56 The error message is referring to "module.vpc-template.aws_route53_record.services", but you are showing us the configuration for "dual-node-vpc-template" . Can you show us where that module is called in your root module, as well as the "provider" blocks inside that module?
If you've removed the "vpc-template" module to destroy those resources, you will need to add it back in with only the provider blocks so terraform can destroy those resources.
GNSunny
commented
4 years ago @mildwonkey thank you for your time, I'm so sorry for the trouble, I copied the new error in there. it is actually **module.dual-node-vpc-template.aws_route53_record.services**
mildwonkey
commented
4 years ago @sunnynehar56 I still need to see the "provider" block that's inside that module to see why you might be getting that error.
In order to pass the aliased provider aws.alfahostedzone, your module needs the following proxy provider configuration:
provider "aws" {
alias = alfahostedzone
}Here's the documentation for passing a provider configuration into a module: https://www.terraform.io/docs/configuration/modules.html#passing-providers-explicitly
GNSunny
commented
4 years ago from the above first comment, I mentioned the alfahostedzone under the module.
module "dual-node-vpc-template" {
source = "git::ssh://git@..............dual-node-vpc-module....."
providers = {
aws = aws
aws.alfahostedzone= aws.alfahostedzone
}
az_1 = "${module.environment.az_1["${lower(module.region.region)}"]}"
...............
...............
}when I removed/commented-out provider and also from the resource the error disappeared but I got a different error.
# provider "aws" {
# alias = "alfahostedzone" # this is called in module and in resource
# allowed_account_ids = ["312793456789"] # main account
# assume_role {
# external_id = "${dev1}"
# role_arn = "${arn:aws:iam::312793456789:role/Access_To_Myapp_Dot_Net_Hosted_Zone}"
# session_name = "TerraformAccessToRemoteHostedZone"
# }
# region = "eu-west-1"
# version = "2.50.0"
# }aws.route53.tf
resource "aws_route53_record" "services" {
# alias = "alfahostedzone" # commented-out resource is using provider alfahostedzone
zone_id = "${var.dns_route53_hosted_zone_id}"
name = "${lower(var.client_id)}-services.${lower(var.dns_domain)}"
type = "A"
ttl = "300"
records = ["${aws_instance.linux.private_ip}"]
}
resource "aws_route53_record" "db" {
# alias = "alfahostedzone" # Commented-out resource is using provider alfahostedzone
zone_id = "${var.dns_route53_hosted_zone_id}"
name = "${lower(var.client_id)}-db.${lower(var.dns_domain)}"
type = "CNAME"
ttl = "300"
records = ["${aws_db_instance.primary.address}"]
}
...............
...............the final determination is if I run with the provider alias = alfahostedzone i receive this error
Error: Provider configuration not present
To work with module.dual-node-vpc-template.aws_route53_record.services
its original provider configuration at
module.dual-node-vpc-template.provider.aws.alfahostedzone is required, but it
has been removed. This occurs when a provider configuration is removed while
objects created by that provider still exist in the state. Re-add the provider
configuration to destroy
module.dual-node-vpc-template.aws_route53_record.services, after which
you can remove the provider configuration again.if I comment-out provider alias = alfahostedzone, I receive below new error 7 times and it doesn't mention which resource, also I gave full permission for that particular role still the error persists
Error: AccessDenied: User: arn:aws:sts::1234567890:assumed-role/ALFA-Terraform-Deployment/Terraform_Deployment is not authorized to access this resource
status code: 403, request id: 185d6de5-4060-42a5-89bf-2d59c9c121f7
...............
...............
wyardley
commented
4 years ago I'm seeing this a lot with 0.13.2, including in cases where the provider(s) that were required by the module or resource do still exist in the state
tf init:
Initializing provider plugins...
- Using previously-installed hashicorp/google v3.33.0
- Using previously-installed hashicorp/google-beta v3.33.0
- terraform.io/builtin/terraform is built in to Terraform
- Using previously-installed -/google v3.37.0
- Using previously-installed -/google-beta v3.37.0
- Using previously-installed -/null v2.1.2
- Using previously-installed hashicorp/random v2.3.0
- Using previously-installed hashicorp/null v2.1.2on plan:
Error: Provider configuration not present
To work with google_compute_instance.xxx its original provider
configuration at provider["registry.terraform.io/-/google"] is required, but
it has been removed. This occurs when a provider configuration is removed
while objects created by that provider still exist in the state. Re-add the
provider configuration to destroy google_compute_instance.xxx,
after which you can remove the provider configuration again.
@wyardley - you will need to run terraform 0.13upgrade (or manually write a required_providers entry) for each module, and sometimes you'll get that message if the modules haven't been updated with provider sources.
You can also use the terraform state replace-providers command to update the state and clear that message.
mildwonkey
commented
4 years ago @sunnynehar56 : it looks like your provider block inside the module is incorrect: https://www.terraform.io/docs/configuration/modules.html#passing-providers-explicitly
If you want to pass an aliased provider to a module, you need a proxy config (see the linked doc above) block, not a full provider config.
This is what you should have in the module that expects to receive a provider config:
provider "aws" {
alias = "alfahostedzone"
}Then you can pass provider.alfahostedzone into the module. Can you let me know if that works?
GNSunny
commented
4 years ago @mildwonkey as per the above https://www.terraform.io/docs/configuration/modules.html#passing-providers-explicitly if you see it in the below module I mentioned it correctly, if you know what I mean.
dev-environment.tf
provider "aws" {
allowed_account_ids = ["${var.ALFA_TEMPLATE_AWS_ACCOUNT_ID}"]
assume_role {
external_id = "${var.deployment_role_external_id}"
role_arn = "${var.deployment_role_arn}"
session_name = "Terraform_Deployment"
}
region = "TERRAFORM_REGION"
version = "AWS_PROVIDER_VERSION"
}
provider "aws" {
alias = "alfahostedzone" # this is called in the module
allowed_account_ids = ["TERRAFORM_DEPLOYMENT_AWS_ACCOUNT"]
assume_role {
external_id = "${var.deployment_role_external_id}"
role_arn = "${var.aws_assume_remotehostedzone_role_arn}"
session_name = "ALFATerraformAccessToRemoteHostedZone"
}
region = "TERRAFORM_REGION"
version = "AWS_PROVIDER_VERSION"
}
############################################
module "dual-node-vpc-template" {
source = "git::ssh://git@git....."
providers = {
aws = aws.alfahostedzone # as per the documentation
}
deployment_user = "DEPLOYMENT_USER"
.....................
.....................
################# still I get this error #################
Error: Provider configuration not present
To work with module.dual-node-vpc-template.aws_route53_record.servces its
original provider configuration at
module.dual-node-vpc-template.provider.aws.alfahostedzone is required, but it
has been removed. This occurs when a provider configuration is removed while
objects created by that provider still exist in the state. Re-add the provider
configuration to destroy
module.dual-node-vpc-template.aws_route53_record.services, after which you
can remove the provider configuration again.
if I replace with this
module "dual-node-vpc-template" {
source = "git::ssh://git@git....."
provider "aws" {
alias = "alfahostedzone" # replaced with this provider
}I get the below following error.
Error: Unsupported block type
on deployment.tf line 86, in module "dual-node-vpc-template":
86: providers "aws" {
Blocks of type "providers" are not expected here.
[2020/09/14 13:12:29] Plan complete
i hope this is clear.
mildwonkey
commented
4 years ago Sorry, I was not clear. Leave your module block as is:
module "dual-node-vpc-template" {
source = "git::ssh://git@git....."
providers = {
aws = aws.alfahostedzone # as per the documentation
}
}Now, inside your "dual-node-vpc-template" module's main.tf (or whatever you've named the files):
provider "aws" {
alias = "alfahostedzone"
}That's the proxy provider configuration block that tells the module to expect an aws provider with the alias alfahostedzone.
GNSunny
commented
4 years ago aws-route53.tf
resource "aws_route53_record" "db" {
provider = "aws.alfahostedzone" # i have used provider in this aws-route53 .tf file
zone_id = "${var.dns_route53_hosted_zone_id}"
name = "${lower(var.client_id)}-db.${lower(var.dns_domain)}"
type = "CNAME"
ttl = "300"
records = ["${aws_db_instance.primary.address}"]
}
resource "aws_route53_record" "services" {
provider = "aws.alfahostedzone" # i have used provider in this aws-route53 .tf file
zone_id = "${var.dns_route53_hosted_zone_id}"
name = "${lower(var.client_id)}-services.${lower(var.dns_domain)}"
type = "A"
ttl = "300"
records = ["${aws_instance.linux-singleton.private_ip}"]
}
is this what you mean @mildwonkey ?
mildwonkey
commented
4 years ago Nope, that's still not it. As described in the documentation on passing providers explicitly to modules, you need a proxy provider configuration block inside your module, not nested in anything else:
provider "aws" {
alias = "alfahostedzone"
}Here's a very simplified version of the entire config:
main.tf:
provider "aws" {
alias = alfahostedzone
// any other provider config goes here
}
module "dual-node-vpc-template" {
source = "git::ssh://git@git....."
providers = {
aws = aws.alfahostedzone
}
}main.tf inside module dual-node-vpc-template
// This is the proxy provider config block that tells the module to expect a provider called aws.alfahostedzone
provider "aws" {
alias = "alfahostedzone"
}
resource "aws_route53_record" "db" {
provider = "aws.alfahostedzone" # i have used provider in this aws-route53 .tf file
zone_id = "${var.dns_route53_hosted_zone_id}"
name = "${lower(var.client_id)}-db.${lower(var.dns_domain)}"
type = "CNAME"
ttl = "300"
records = ["${aws_db_instance.primary.address}"]
}
/// etcThank you - now I know we're at the same spot 😁
That message tells us that (according to your state file) the provider configuration originally came from the module itself. This error will occur if you (or the module developer) removed the provider configuration block from the module before the resources were destroyed.
To finish the destroy, you will need to put the entire configuration block for aws.alfahostedzone inside the module. After the resources are destroyed you can refactor the module to use the proxy provider configuration that we've been discussing.
I hope this helps!
GNSunny
commented
4 years ago yes that helps @mildwonkey but I got this error now, after adding this block Error is gone :tada:, :clap:
provider "aws" { alias = "alfahostedzone" region = "eu-west-1" }
Error: Missing required argument
on .terraform\modules\dual-node-vpc-template\alfa-ec2-dev-environment\aws-route53.tf line 2, in provider "aws":
2: provider "aws" {
The argument "region" is required, but no definition was found. :)
[2020/09/14 18:28:15] Plan complete
are theses Errors expected ??? :open_mouth:
Error: Error reading EC2 volume vol-03a545cad2111111: UnauthorizedOperation: You are not authorized to perform this operation.
status code: 403, request id: 9b0be4fc-0f14-4434-8762-a8985807e2b1
Error: UnauthorizedOperation: You are not authorized to perform this operation.
status code: 403, request id: 04037056-0e09-4a27-8f57-b71e02493895 #doesn't mention which operation
Error: Error retrieving Target Group: AccessDenied: User: arn:aws:sts::01234567890:assumed-role/Access_To_Example_Dot_Net_Hosted_Zone/ALFATerraformAccessToRemoteHostedZone is not authorized to perform: elasticloadbalancing:DescribeTargetGroups
status code: 403, request id: 643369af-c779-48e2-8b8c-d3c54b3f5a
Error: UnauthorizedOperation: You are not authorized to perform this operation.
status code: 403, request id: 1c737ee8-03f0-40e9-92d2-d6488bfd1b38
on .terraform\modules\dual-node-vpc-template\alfa-ec2-dev-environment\aws-instances.tf line 2, in data "aws_ami" "linux-singleton":
2: data "aws_ami" "linux-singleton" {
/// etcI can't really speak to those messages. They are coming from the AWS provider. It looks like the credentials you are supplying don't have all the permissions required to perform the operation(s).
I have seen some messages in TRACE logs like this that aren't really errors, and the apply will succeed despite them, but if you apply is failing then you need to address those by making sure that your credentials are properly configured and have all the required permissions.
upgrade from 0.11.3 to 0.11.14 not received any errors. upgrading from version: 0.11.14 to 0.12.29 throwing below error, tried different ways to work around to resolve by following all the git hub suggested issues nothing worked out. awsproviderversion=2.50.0
variables.tf
dual-node-vpc-module
aws.route53.tf
dual-node-vpc-template
aws.vpc.tf
even after mentioning the providers under the module, still, the error persists a lot. tfplan output