search

hashicorp / tfc-workflows-github

HCP Terraform starter workflows and github actions to automate Terraform Cloud CI/CD pipelines.
Mozilla Public License 2.0
124 stars 20 forks source link

error uploading configuration version to Terraform Cloud: unauthorized #9

Open mpr555 opened 1 year ago

mpr555 commented 1 year ago

On Friday last week, I had a GitHub workflow using tf cloud to do a plan etc from the guide below

https://developer.hashicorp.com/terraform/tutorials/automation/github-actions

It was working all ok. Nothing has changed, and I have checked API keys expiration and now it does not work.

Run hashicorp/tfc-workflows-github/actions/upload-configuration@v1.0.0
  with:
    workspace: learn-terraform-github-actions
    directory: ./
    speculative: true
  env:
    TF_CLOUD_ORGANIZATION: PLOT1[3](https://github.com/mpr555/learn-terraform-github-actions/actions/runs/5241610510/jobs/9464248028#step:4:3)
    TF_API_TOKEN: ***
    TF_WORKSPACE: learn-terraform-github-actions
    CONFIG_DIRECTORY: ./
/usr/bin/docker run --name hashicorptfciv100_abc991 --label ed8[6](https://github.com/mpr555/learn-terraform-github-actions/actions/runs/5241610510/jobs/9464248028#step:4:6)6e --workdir /github/workspace --rm -e "TF_CLOUD_ORGANIZATION" -e "TF_API_TOKEN" -e "TF_WORKSPACE" -e "CONFIG_DIRECTORY" -e "INPUT_WORKSPACE" -e "INPUT_DIRECTORY" -e "INPUT_SPECULATIVE" -e "INPUT_HOSTNAME" -e "INPUT_TOKEN" -e "INPUT_ORGANIZATION" -e "HOME" -e "GITHUB_JOB" -e "GITHUB_REF" -e "GITHUB_SHA" -e "GITHUB_REPOSITORY" -e "GITHUB_REPOSITORY_OWNER" -e "GITHUB_REPOSITORY_OWNER_ID" -e "GITHUB_RUN_ID" -e "GITHUB_RUN_NUMBER" -e "GITHUB_RETENTION_DAYS" -e "GITHUB_RUN_ATTEMPT" -e "GITHUB_REPOSITORY_ID" -e "GITHUB_ACTOR_ID" -e "GITHUB_ACTOR" -e "GITHUB_TRIGGERING_ACTOR" -e "GITHUB_WORKFLOW" -e "GITHUB_HEAD_REF" -e "GITHUB_BASE_REF" -e "GITHUB_EVENT_NAME" -e "GITHUB_SERVER_URL" -e "GITHUB_API_URL" -e "GITHUB_GRAPHQL_URL" -e "GITHUB_REF_NAME" -e "GITHUB_REF_PROTECTED" -e "GITHUB_REF_TYPE" -e "GITHUB_WORKFLOW_REF" -e "GITHUB_WORKFLOW_SHA" -e "GITHUB_WORKSPACE" -e "GITHUB_ACTION" -e "GITHUB_EVENT_PATH" -e "GITHUB_ACTION_REPOSITORY" -e "GITHUB_ACTION_REF" -e "GITHUB_PATH" -e "GITHUB_ENV" -e "GITHUB_STEP_SUMMARY" -e "GITHUB_STATE" -e "GITHUB_OUTPUT" -e "RUNNER_OS" -e "RUNNER_ARCH" -e "RUNNER_NAME" -e "RUNNER_TOOL_CACHE" -e "RUNNER_TEMP" -e "RUNNER_WORKSPACE" -e "ACTIONS_RUNTIME_URL" -e "ACTIONS_RUNTIME_TOKEN" -e "ACTIONS_CACHE_URL" -e GITHUB_ACTIONS=true -e CI=true -v "/var/run/docker.sock":"/var/run/docker.sock" -v "/home/runner/work/_temp/_github_home":"/github/home" -v "/home/runner/work/_temp/_github_workflow":"/github/workflow" -v "/home/runner/work/_temp/_runner_file_commands":"/github/file_commands" -v "/home/runner/work/learn-terraform-github-actions/learn-terraform-github-actions":"/github/workspace" hashicorp/tfci:v1.0.0  "tfci" "-hostname=" "-token=" "-organization=" "upload" "-workspace=learn-terraform-github-actions" "-directory=./" "-speculative=true"
error uploading configuration version to Terraform Cloud: unauthorized
{
  "status": "Error"
}

Kind regards,

Max

thegustavosantos commented 10 months ago

In my case: 1) I generated new token at terraform 2) Update TF_API_TOKEN at Repository secrets ( "myrepo" -> Settings -> Secrets and variables -> Actions) with new token 3) Rerun and it working.

AHaydar commented 10 months ago

I've got the same issue - generating a new token solves the problem, but it's weird as the old token hasn't expired. Anyway to further investigate this?

srlynch1 commented 10 months ago

I've got the same issue - generating a new token solves the problem, but it's weird as the old token hasn't expired. Anyway to further investigate this?

One possible reason for this, if you used a user token and SSO is enabled, this would be only active whilst SSO session remains active.

It's possible for the token to be not expired but inactive due to SSO session expiry.

AHaydar commented 10 months ago

I've got the same issue - generating a new token solves the problem, but it's weird as the old token hasn't expired. Anyway to further investigate this?

One possible reason for this, if you used a user token and SSO is enabled, this would be only active whilst SSO session remains active.

Thanks @srlynch1 - yes that was the problem. What's a better way to handle this, without relying on an active SSO session? ~Is it recommended to use an organisation token in this case?~ I just saw that organisation token does not have permission to perform plans and applies in workspaces. Should I use a team token?

srlynch1 commented 10 months ago

Not an org token, generally you would use a team token.

If it's Terraform Enterprise it's also possible to flag a user account as a service account via SAML assertion using IsServiceAccount