search

hashicorp / terraform

Terraform enables you to safely and predictably create, change, and improve infrastructure. It is a source-available tool that codifies APIs into declarative configuration files that can be shared amongst team members, treated as code, edited, reviewed, and versioned.
https://www.terraform.io/
Other
42.1k stars 9.47k forks source link

`terraform import` pulls variables from Terraform Cloud when set to "local" execution #29966

Open tchupp opened 2 years ago

tchupp commented 2 years ago

Summary

When using Terraform Cloud as the backend in "local" mode, there is inconsistent behavior for non-sensitive variable resolution between terraform import and terraform plan.

I believe this is inconsistent behavior introduced by the interaction with Terraform Cloud. I don't think this behavior is caused by Terraform Cloud specifically.

Terraform Version

The most recent test was with v1.0.11, although this behavior has been present since at least v0.13.1.

$ terraform version
Terraform v1.0.11
on darwin_amd64

Terraform Configuration Files

I can provide some configuration here, but this behavior is present regardless of configuration files.

variable "aws_access_key" {
  type        = string
  description = "visible in Terraform Cloud"
}

variable "aws_secret_key" {
  type        = string
  description = "sensitive in Terraform Cloud"
}

provider "aws" {
  access_key = var.aws_access_key
  secret_key = var.aws_secret_key
}

terraform {
  backend "remote" {
    hostname     = "app.terraform.io"
    organization = "<org name>"

    workspaces {
      name = "<workspace name>"
    }
  }
}

resource "aws_s3_bucket" "the-bucket" {
  bucket = "super-duper-unique-bucket-name"
}

Debug Output

TODO

Expected Behavior

My expectation is that terraform import should use the same variables as terraform plan when the Terraform Cloud workspace is set to "Local".

Actual Behavior

terraform import pulls non-sensitive variables from Terraform Cloud, where terraform plan only uses locally defined variables.

Steps to Reproduce

  1. create a workspace in Terraform Cloud with the mode "remote"
  2. add a non-sensitive variable. If using the example above, you'll see the most obvious result by putting incorrect AWS credentials as the variables in Terraform Cloud.
  3. change the Terraform Cloud workspace to "local"
  4. on your computer, create a local.auto.tfvars file with the same variable name you have remote, but with correct AWS credentials
  5. run a terraform plan locally, see that the plan uses the value from local.auto.tfvars
  6. run a terraform import locally, see that the import uses the value from Terraform Cloud

Additional Context

Terraform is running directly from my CLI. Commands are exactly terraform plan and terraform import '<address>' '<id>'

References

I couldn't find any other open issues with similar issues.

Investigation

It seems this step in the import workflow isn't necessary when the backend is a Terraform Cloud workspace set to "Local" execution: https://github.com/hashicorp/terraform/blob/v1.1.0-beta1/internal/backend/remote/backend_context.go#L95

When debugging locally, I can see the variables are correctly set after the c.collectVariableValues() step here
But during the local.LocalRun(..) here it grabs the remote variables here and overrides existing local variables here

tchupp commented 2 years ago

This was the simplest way I could think of to address this issue without causing other unforeseen issues: https://github.com/hashicorp/terraform/pull/29972

tedmiston commented 2 years ago

Thank you for this good writeup. I experienced the same issue today as well with Terraform CLI v1.2.4 backed by Terraform Cloud... but using remote execution mode.

I'm really surprised this ticket doesn't have more traction...