ISSUE: Usage of variables in provider declaration does not flow through to nested modules.

[jameswestall]

I am having similar/same issue to #239 since terraform upgrade from 0.13 to 0.14.6

I am entirely unable to use variables in the provider configuration WHEN using custom modules which hold Azure DevOps resources.

TF Version

terraform -v
Terraform v0.14.6
+ provider registry.terraform.io/hashicorp/random v3.0.1
+ provider registry.terraform.io/microsoft/azuredevops v0.1.2
+ provider registry.terraform.io/terraform-providers/azuredevops v0.1.2

Steps to reproduce

• Clone this repo: https://github.com/jameswestall/azuredevops-tfprovider-module-issue-demo - provide an ORG URL and PAT as variables. Example uses AzureRM backend, so provide configuration for that.
• terraform init
• terraform plan

Error Example

export ARM_ACCESS_KEY=redacted
james@macbook-pro %~$ terraform init \
>     -backend-config="storage_account_name=contosostoragething" \
>     -backend-config="container_name=statecontainer" \
>     -backend-config="key=azdoissuedemo.terraform.tfstate"
Initializing modules...

Initializing the backend...

Successfully configured the backend "azurerm"! Terraform will automatically
use this backend unless the backend configuration changes.

Initializing provider plugins...
- Finding latest version of terraform-providers/azuredevops...
- Finding latest version of microsoft/azuredevops...
- Finding latest version of hashicorp/random...
- Installing hashicorp/random v3.0.1...
- Installed hashicorp/random v3.0.1 (signed by HashiCorp)
- Installing terraform-providers/azuredevops v0.1.2...
- Installed terraform-providers/azuredevops v0.1.2 (signed by HashiCorp)
- Installing microsoft/azuredevops v0.1.2...
- Installed microsoft/azuredevops v0.1.2 (signed by a HashiCorp partner, key ID 6F0B91BDE98478CF)

<REDACTED FOR BREVITY>

Terraform has been successfully initialized!

<REDACTED FOR BREVITY>

james@macbook-pro %~$ terraform plan -var="personal_access_token=redacted" -var="org_service_url=redacted"

Error: the personal access token is required

  on <empty> line 0:
  (source code not available)

Post removal of pat and url variables within the Azure DevOps provider, this nested module begins to function.

Functioning Output

james@macbook-pro %~$ #remove var references
james@macbook-pro %~$ vi ./issuedemo.tf
james@macbook-pro %~$ terraform plan
Acquiring state lock. This may take a few moments...

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

<REDACTED RESOURCE CONFIGURATION FOR BREVITY>

Plan: 8 to add, 0 to change, 0 to destroy.

------------------------------------------------------------------------

Note: You didn't specify an "-out" parameter to save this plan, so Terraform
can't guarantee that exactly these actions will be performed if
"terraform apply" is subsequently run.

[xuzhang3]

Hi @jameswestall This is not a ADO provider issue. You should define the variables in child module too, you can reference this post: https://discuss.hashicorp.com/t/accessing-variables-declared-and-defined-in-parent-from-child-module/10462/6

Working configuration is :

1. Add org_service_url and personal_access_token to demo-module-usage configure block:

   module "demo-module-usage" {
   ...
   org_service_url = var.org_service_url
   personal_access_token = var.personal_access_token
   }

2. Define org_service_url and personal_access_token in variables.tf and reference the root module's configuration

   
   //link to root module configuration
   variable "org_service_url" {
   description = "Name of the VPC"
   }

variable "personal_access_token" { description = "Private IP block for the VPC in CIDR format" }

//provider configure provider "azuredevops" { org_service_url = var.org_service_url personal_access_token = var.personal_access_token }

[jameswestall]

@xuzhang3 - I'm not sure if you're correctly understanding the problem I've described. What I'm experiencing is not aligned to the Terraform documentation and expected behaviour. From the provider documentation:

"Provider configurations, unlike most other concepts in Terraform, are global to an entire Terraform configuration and can be shared across module boundaries"

See here for implicit inheritance guidance: https://www.terraform.io/docs/language/modules/develop/providers.html#implicit-provider-inheritance

Removing the module for DevOps resources also fixes this issue, however this means we are not allowed to create standardised modules for resources.

[xuzhang3]

@jameswestall I get your point, I need more investigation on this issue.

[jameswestall]

Hey there @xuzhang3 - Not to rush you on this issue, is there anything I can help with collection for diagnosis?

[xuzhang3]

hi @jameswestall This issue is still under investigation. ADO read personal_access_token and org_service_url from environment configurations. As -var can pass the configurations and ADO can find it, I assume this variables are set to the Terraform context session. The problem is sub modules cannot get these configuration, we need to figure out if this is an ADO provider issue or Terraform forbidden to do this.