search

pulumi / pulumi-terraform

A resource package that allows Pulumi programs to use Terraform state
Apache License 2.0
112 stars 18 forks source link

backendType s3 does not work with Yandex Storage #613

Closed romcheck closed 3 years ago

romcheck commented 3 years ago

I try to use RemoteStateReference with backendType: s3

S3 provider is Yandex Cloud

Steps to reproduce

  1. Apply any terraform resource with Yandex Storage remote state.
  2. Use pulumi-terraform module:
import * as tf from "@pulumi/terraform";

const postgresqlRemoteState = new tf.state.RemoteStateReference("postgresql", {
  backendType: "s3",
  endpoint: "storage.yandexcloud.net",
  bucket: "fans-pulumi-state",
  region: "us-east-1",
  key: "postgresql",
});

Expected: successfully created resource

Actual: 

Previewing update (production):
     Type                                     Name            Plan       Info
 +   pulumi:pulumi:Stack                      app-production  create     1 error
     └─ terraform:state:RemoteStateReference  postgresql                 1 error

Diagnostics:
  pulumi:pulumi:Stack (app-production):
    error: preview failed

  terraform:state:RemoteStateReference (postgresql):
    error: Preview failed: error in backend configuration: error configuring S3 Backend: error validating provider credentials: error calling sts:GetCallerIdentity: InvalidClientTokenId: The security token included in the request is invalid.
        status code: 403

I use credential envs with verified values (working successfully with other tools):

AWS_ACCESS_KEY_ID=
AWS_SECRET_ACCESS_KEY=
AWS_DEFAULT_REGION=

Also tried to use them directly as corresponding properties with no luck.

stack72 commented 3 years ago

Hi @romcheck

Is this a backend you already have in place and is configured with your terraform configuration?

Paul

romcheck commented 3 years ago

Hi @romcheck

Is this a backend you already have in place and is configured with your terraform configuration?

Paul

Hi Paul

Absolutely. It has configured and successfully working:

terraform {
  required_providers {
    yandex = {
      source  = "yandex-cloud/yandex"
      version = "0.61.0"
    }
  }

  backend "s3" {
    endpoint   = "storage.yandexcloud.net"
    bucket     = "fans-pulumi-state"
    key        = "postgresql"

    skip_region_validation      = true
    skip_credentials_validation = true
  }
}
stack72 commented 3 years ago

ok, so the skip_* are the missing piece here - we must support those to ensure we are not assuming it's an S3 backend.

I will get those added this iteration

Sorry about that!

Paul