search

hashicorp / terraform

Terraform enables you to safely and predictably create, change, and improve infrastructure. It is a source-available tool that codifies APIs into declarative configuration files that can be shared amongst team members, treated as code, edited, reviewed, and versioned.
https://www.terraform.io/
Other
42.71k stars 9.55k forks source link

Move from os.GetEnv to schema.MultiEnvDefaultFun breaks some existing configs #33362

Open wilmardo opened 1 year ago

wilmardo commented 1 year ago

Terraform Version

Terraform v1.3.9
on darwin_arm64

Terraform v1.4.0
on darwin_arm64

Terraform Configuration Files

terraform {
  backend "gcs" {
    prefix         = "tfstate/state"
    bucket         = "bucket"
    encryption_key = ""
  }
}

Debug Output

na

Expected Behavior

Terraform 1.4.0 working like 1.3.9 did and the GOOGLE_ENCRYPTION_KEY being picked up like before

Actual Behavior

The GOOGLE_ENCRYPTION_KEY is ignored and the empty encryption_key has preference which results in the error:

# terraform init

Initializing the backend...
Error loading state: Failed to open state file at gs://guida-aws-production-tf/tfstate/guida-eks-dev-1/default.tfstate: googleapi: got HTTP response code 400 with body: <?xml version='1.0' encoding='UTF-8'?><Error><Code>ResourceIsEncryptedWithCustomerEncryptionKey</Code><Message>The resource is encrypted with a customer encryption key.</Message></Error>

While this worked fine in 1.3.9

Steps to Reproduce

Setup thegcs backend with encryption_key = "" in the conf like above

1.3.9

  1. export GOOGLE_ENCRYPTION_KEY="key"
  2. terraform init
  3. works

1.4.0

  1. export GOOGLE_ENCRYPTION_KEY="key"
  2. terraform init
  3. encryption key error

Additional Context

Changes like this will lower the precedence of the env var: https://github.com/hashicorp/terraform/pull/31786/commits/469824c3244d0cf98d16c4880e12c6eb41d8f91c

In our case just removing the key was enough but it was a bit of a search why this broke since there is no mention in the CHANGELOG, just about some new features for the gcs backend.

I don't know if this is a documentation issue, I just wanted to raise some awareness for changes like this. A mention in the changelog about this would have been nice. It now got sneaked in with a mostly unrelated PR.

References

crw commented 1 year ago

Thanks for this submission! I'll notify the appropriate team.