OCI Provider requires private_key when using Terraform Cloud to store terraform.tfstate file

[bschonec]

I switched from using both local and http backends to store my tfstate file to the free tier of Terraform Cloud. I am using the private_key_path argument to in the OCI provider to specify the token for Oracle Cloud API access. I am not using private_key argument to the OCI provider. After changing the terraform code from http backend to Terraform Cloud Configuration, 'terraform apply' now requires me to specify the private_key argument to the OCI provider even though this was not necessary before moving to Terraform Cloud.

The OCI provider documentation states that private_key_path is used if private_key is not defined which is the behavior with the local and http backends. This is not the behavior I am experiencing when using Terraform Cloud.

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version and Provider Version

Terraform v1.7.4
on linux_amd64
+ provider registry.terraform.io/hashicorp/template v2.2.0
+ provider registry.terraform.io/oracle/oci v5.31.0

Affected Resource(s)

provider "oci"

Terraform Configuration Files

terraform {
  required_version = "~> 1.7"
  cloud {
    organization = "example-org"
    token        = "my_token_string"
    workspaces {
      name = "my_workspace1"
    }   
  }
  required_providers {
    template = { 
      source  = "hashicorp/template"
      version = "~> 2.2"
    }   
    oci = { 
      source  = "oracle/oci"
      version = "~> 5.31.0"
    }   
  }
}

provider "oci" {
  tenancy_ocid = "ocid1.tennancy....."
  user_ocid    = "ocid1.user.oc1....."
  fingerprint  = "ab:cd:ef:00:12:34..."
  region       = "us-ashburn-1"
  private_key_path = "/home/example/.oci/oci_api_key.pem"
}

Debug Output

Waiting for the plan to start...

Terraform v1.7.4
on linux_amd64
Initializing plugins and modules...
data.template_file.cloud-config: Refreshing...
data.template_file.cloud-config: Refresh complete after 0s [id=3699b9c3528d59de299396073316bcb615abe4189dc18e0b401a81414ab62798]
╷
│ Error: can not create client, bad configuration: did not find a proper configuration for private key
│ 
│   with provider["registry.terraform.io/oracle/oci"],
│   on provider.tf line 22, in provider "oci":
│   22: provider "oci" {
│ 
╵
Operation failed: failed running terraform plan (exit 1)

Expected Behavior

terraform plan should not be erroring out when private_key_path is specified but private_key is not specified.

Note that if I do specify the private_key value, 'terraform plan' works fine.

[dhoogfr]

@bschonec How is your workspace configuration done on TF Cloud?

It is my understanding that you either can set it to CLI driven or to use a version control workflow, but in both situations it is TF Cloud which is running the plan / apply and the log is streamed to the client. So, It's not just a storage backend for the state file.

In that case it is normal that it requests the key as it doesn't have access to your key file.

Within TF Cloud you can define variables for your workspace / project and also set them to sensitive (write only). This allows you to define a private_key variable and mark it as sensitive, which will be picked up during the run

[tf-oci-pub]

Thank you for reporting the issue. We observed the affected resources are not provided in the description or it's incorrect. We request you to add it in issue description as mentioned in below format. Example: affected_resources = oci_core_instance , oci_core_instances

If it's not related to any particular resource then mention affected resource as terraform. Example: affected_resources = terraform

As this works through automation, request you to follow exact syntax.