Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AWS Environment Variable Errors #23283

Closed
lee5i3 opened this issue Nov 5, 2019 · 8 comments · Fixed by #23358
Closed

AWS Environment Variable Errors #23283

lee5i3 opened this issue Nov 5, 2019 · 8 comments · Fixed by #23358
Assignees
Labels
backend/remote bug v0.12 Issues (primarily bugs) reported against v0.12 releases

Comments

@lee5i3
Copy link

lee5i3 commented Nov 5, 2019

I am running into errors when trying to import my existing AWS resources into Terraform Enterprise remote state..

On Terraform v0.12.13, when I run

terraform import <module> <aws name>

It says

Acquiring state lock. This may take a few moments...

Warning: Value for var.AWS_ACCESS_KEY_ID unavailable

The value of variable "AWS_ACCESS_KEY_ID" is marked as sensitive in the remote
workspace. This operation always runs locally, so the value for that variable
is not available.


Warning: Value for var.AWS_SECRET_ACCESS_KEY unavailable

The value of variable "AWS_SECRET_ACCESS_KEY" is marked as sensitive in the
remote workspace. This operation always runs locally, so the value for that
variable is not available.


Error: Value for undeclared variable

A variable named "AWS_ACCESS_KEY_ID" was assigned a value, but the root module
does not declare a variable of that name. To use this value, add a "variable"
block to the configuration.


Error: Value for undeclared variable

A variable named "AWS_SECRET_ACCESS_KEY" was assigned a value, but the root
module does not declare a variable of that name. To use this value, add a
"variable" block to the configuration.

However when I downgrade to Terraform v0.12.12, it works fine

@lee5i3
Copy link
Author

lee5i3 commented Nov 5, 2019

my workaround was to add the following to my variables, import, then remove them

variable "AWS_SECRET_ACCESS_KEY" {
  default = ""
}

variable "AWS_ACCESS_KEY_ID" {
  default = ""
}

@acdha
Copy link

acdha commented Nov 5, 2019

This isn't just the AWS keys — I ran into it with some variables we'd set for our accounts which aren't used by the AWS SDK but do have “AWS” in the name.

@teamterraform
Copy link
Contributor

teamterraform commented Nov 5, 2019

Hi @lee5i3! Thanks for reporting this.

We'd like to understand a bit better what situation is leading to this behavior. It sounds like you don't have either the AWS_SECRET_ACCESS_KEY or AWS_ACCESS_KEY_ID variables defined in your configuration, but yet somehow Terraform is deciding they are set. Is that correct?

Our best guess right now is that in your Terraform Cloud or Terraform Enterprise remote workspace you have configured stored values for these AWS_SECRET_ACCESS_KEY and AWS_ACCESS_KEY_ID variables, but there is no corresponding variable defined in the configuration. If that's true, then per Terraform's intended behavior it seems like it is the new behavior that is correct: Terraform is correctly reporting that you've set a variable that isn't declared.

To fix it, you can either declare those variables as you showed in your follow-up comment (if you do actually need them) or you can remove them from the settings in the remote workspace in Terraform Cloud or Terraform Enterprise (if they are not actually needed).

Based on the names of these, we wonder if you intended to create these actually as environment variables rather than Terraform variables. Both of those are configurable on the same page in Terraform Cloud and Enterprise, and setting both of these in the Environment Variables section will allow the AWS provider to access them for remote operations run inside Terraform Cloud, and allow you to separately set them locally when you run commands like terraform import which do not support remote operations.

This specific situation aside, the general rule here is that only Terraform variables actually declared in the configuration should be configured in the remote workspace. When Terraform is running local operations against a remote workspace (as with terraform import), it will fetch all of the non-sensitive variables defined on the remote workspace and try to use them for the local operation, leading to this error if the variables in question are not declared.

It sounds like prior versions of Terraform were incorrectly permitting these undeclared variables, and thus allowing the import operation to work in spite of the incorrect configuration.

@teamterraform teamterraform added backend/remote bug v0.12 Issues (primarily bugs) reported against v0.12 releases waiting-response An issue/pull request is waiting for a response from the community labels Nov 5, 2019
@lee5i3
Copy link
Author

lee5i3 commented Nov 5, 2019

Yes we are using Terraform Cloud, we have the AWS credentials set as an Environment Variables in each workspace, they are not set as Terraform Variables

@ghost ghost removed the waiting-response An issue/pull request is waiting for a response from the community label Nov 5, 2019
@triduongtran
Copy link

triduongtran commented Nov 5, 2019

@teamterraform I ran into the exact same issue just like @lee5i3 which I’m trying to explain here:

On terraform 0.12.12 we used to successfully declare environment variables (not terraform variables) AWS_ACCESS_KEY_ID and the respective AWS_SECRET_ACCESS_KEY and let the remote workspace apply changes on AWS. When using terraform import locally we of course have to set the respective environment variables for the CLI because the variables in the workspace are not used.

The scenario I described above used to work with terraform 0.12.12 but since 0.12.13 the same procedure exits with the error as @lee5i3 pointed out.

My expectation here is that terraform should not require me to define a terraform variable for these environment variables in my terraform template.

@acdha
Copy link

acdha commented Nov 6, 2019

My project similarly set those as environmental variables specifically following the recommendation to avoid this error. We were bulk provisioning workspaces and set a couple of environmental variables (e.g. TF_VAR_AWS_ACCOUNT_NAME) which the user wouldn’t have permission to retrieve directly.

(And to be clear: 0% chance these were Terraform variables – they were set by reviewed code, and Terraform was used for many tasks for months until the last release.)

@teamterraform
Copy link
Contributor

Thanks for the additional context, all!

It sounds like the remote backend in incorrectly interpreting both the Terraform variables and the environment variables as if they are Terraform variables. In the underlying Terraform Cloud API the two are represented together as a single type of object, so it sounds like there's some missing filtering logic which wasn't previously causing problems because the validation of valid variable names wasn't working at all in prior releases.

We'll get this fixed up so that it will only try to use the ones defined under "Terraform Variables" in the UI, and ignore the ones under "Environment Variables".

beekus added a commit to beekus/terraform that referenced this issue Nov 13, 2019
Following up on hashicorp#23122, the remote system (Terraform Cloud or
Enterprise) serves environment and Terraform variables using a single
type of object. We only should load Terraform variables into the
Terraform context.

Fixes hashicorp#23283.
pselle pushed a commit that referenced this issue Nov 13, 2019
…3358)

* backend/remote: Filter environment variables when loading context

Following up on #23122, the remote system (Terraform Cloud or
Enterprise) serves environment and Terraform variables using a single
type of object. We only should load Terraform variables into the
Terraform context.

Fixes #23283.
@ghost
Copy link

ghost commented Mar 28, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@ghost ghost locked and limited conversation to collaborators Mar 28, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
backend/remote bug v0.12 Issues (primarily bugs) reported against v0.12 releases
Projects
None yet
Development

Successfully merging a pull request may close this issue.

6 participants