search

hashicorp / terraform

Terraform enables you to safely and predictably create, change, and improve infrastructure. It is a source-available tool that codifies APIs into declarative configuration files that can be shared amongst team members, treated as code, edited, reviewed, and versioned.
https://www.terraform.io/
Other
42.31k stars 9.49k forks source link

`terraform login` could default to the configured Terraform Cloud/Enterprise hostname, rather than always app.terraform.io #29536

Open nphilbrook opened 3 years ago

nphilbrook commented 3 years ago

Config:

terraform {
  required_version = ">= 0.14"
  required_providers {
    google = ">= 3.21.0"
  }
  backend "remote" {
    hostname = "tfe-paas.service.<REDACTED>"
    organization = "REDACTED"
    workspaces {
      name = "REDACTED"
    }
  }
}

If I run terraform login with this config, it tries to log in to app.terraform.io. Shouldn't it parse the hostname out of my remote backend and login there?

Observed on version 0.14.11 and 1.0.6 (latest as of this writing) as shown below

@arlo ~/repos/tfe-modules/terraform-google-bucket $ terraform14 version
Terraform v0.14.11
+ provider registry.terraform.io/hashicorp/google v3.82.0

Your version of Terraform is out of date! The latest version
is 1.0.6. You can update by downloading from https://www.terraform.io/downloads.html
@arlo ~/repos/tfe-modules/terraform-google-bucket $ terraform14 login  
Terraform will request an API token for app.terraform.io using your browser.
@arlo ~/repos/tfe-modules/terraform-google-bucket $ terraform1 version
Terraform v1.0.6
on linux_amd64
+ provider registry.terraform.io/hashicorp/google v3.82.0
@arlo ~/repos/tfe-modules/terraform-google-bucket $ terraform1 login                           
Terraform will request an API token for app.terraform.io using your browser.

This is not a hard blocker as I can grab a token and configure a credentials block, but it seems like a bug (or missing feature) to me.

apparentlymart commented 3 years ago

Hi @nphilbrook,

Terraform can log in to potentially many hostnames at the same time, for more complicated scenarios where e.g. there's a private provider or module registry running at a different hostname. By default terraform login chooses app.terraform.io as the hostname to log in to, because that's by far the most common case, but you can specify a different hostname on the command line:

terraform login 'tfe-paas.service.<REDACTED>'

(naturally, you'll need to use the actual hostname and not the refacted version!)

When you run this command, Terraform CLI will perform service discovery against the hostname you gave. If it refers to a Terraform Enterprise installation then it'll learn that the system supports the Terraform Cloud/Enterprise API and thus should send you through the same login process as would've happened for Terraform Cloud on app.terraform.io.

The terraform login command is not a configuration-sensitive command -- you can run it in any directory, at any time, even if you've not run terraform init to activate the backend yet -- and so it doesn't try to be clever about guessing what hostname you probably meant to log into. Perhaps in a future iteration of the Cloud/Enterprise integration in Terraform CLI, where the integration point could be something more first-class than just another backend, there could be room for it detecting this automatically, since I'd agree that it seems unlikely that you'd want to log in to app.terraform.io in the specific case where you're using self-hosted Terraform Enterprise, and you could always type terraform login app.terraform.io if you really wanted to.

With that said, Terraform CLI is working as designed today, and I hope my answer above will work for you for now. I'm going to label this as an enhancement request to consider the idea of making terraform login detect a hostname automatically, but a prerequisite for that would be having a first-class configuration construct for activating "Terraform Cloud mode", because today Terraform CLI just sees that backend "remote" block as a generic bag of settings handled separately by the backend, as is the case for all backends.

Thanks!

nphilbrook commented 3 years ago

Thanks Martin, that is very helpful.

I do wish I had read the help text for the terraform login command before filing this issue :doh:

I was following these docs here: https://www.terraform.io/docs/cloud/run/cli.html#remote-backend-configuration and a note about the hostname option to the login command would be welcome here as well.

Thanks again and I do understand how this would be an enhancement.