search

hashicorp / terraform

Terraform enables you to safely and predictably create, change, and improve infrastructure. It is a source-available tool that codifies APIs into declarative configuration files that can be shared amongst team members, treated as code, edited, reviewed, and versioned.
https://www.terraform.io/
Other
41.76k stars 9.42k forks source link

terraform_remote_state remote backend ignores token in config block when token is present in CLI config #30664

Open tangentspace opened 2 years ago

tangentspace commented 2 years ago

Terraform Version

Terraform v1.1.7

Terraform Configuration Files

data "terraform_remote_state" "example" {
  backend = "remote"

  config = {
    hostname     = "terraform.example.com"
    token        = var.tfe_example_access_token
    organization = "ExampleOrg"
    workspaces = {
      name = "ExampleWorkspace"
    }
  }
}

output "something" {
  value = data.terraform_remote_state.example.outputs.vpcs
}

Expected Behavior

Terraform uses the API token provided in the config block to access the remote state for the target workspace.

Actual Behavior

Terraform always uses the API token from the CLI config file when it exists, ignoring the token explicitly provided in config block.

Steps to Reproduce

Create a .terraformrc file containing a token which does not have access to the target workspace.

Additional Context

This makes it impossible to configure API tokens for workspaces that are not accessible using the token defined in the .terraformrc file. In previous Terraform versions which used the atlas backend, the data source token config overrode other config sources, and this behavior has changed in the new remote backend which breaks existing workflows.

References

I opened a PR that implements the desired functionality: https://github.com/hashicorp/terraform/pull/30663

rubyisbeautiful commented 2 years ago

In a possibly related issue, the expected behavior of providing the token on the commandline, e.g. terraform init -backend-config=token=abc123 would be to override .terraformrc, but it does not. This is not documented. I see https://github.com/hashicorp/terraform/pull/30917 addresses that.

crw commented 2 years ago

Thanks for these reports! I am checking to see if this issue was fixed by that same PR, but have yet to hear back. I'll update this issue when I hear back. Thanks again!