Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Incorrect plan on tfe_ resources when TFE_TOKEN env var is not set in TFE workspace #36243

Open
magzim21 opened this issue Dec 21, 2024 · 1 comment
Open

Incorrect plan on tfe_ resources when TFE_TOKEN env var is not set in TFE workspace #36243

magzim21 opened this issue Dec 21, 2024 · 1 comment
Labels
bug cloud Related to Terraform Cloud's integration with Terraform new new issue not yet triaged

Comments

@magzim21
Copy link

magzim21 commented Dec 21, 2024
edited
Loading

Terraform Version

Terraform v1.9.3
on darwin_arm64
+ provider registry.terraform.io/hashicorp/aws v5.56.1
+ provider registry.terraform.io/hashicorp/tfe v0.55.0
+ provider registry.terraform.io/hashicorp/tls v4.0.6

Your version of Terraform is out of date! The latest version
is 1.10.2. You can update by downloading from https://www.terraform.io/downloads.html

Terraform Configuration Files

First I create tfe resources locally, then uncomment terraform cloud backend and run terraform init, answer "yes" to migrate state.

Debug Output

Running apply after the state had been migrated

terraform apply
Running apply in HCP Terraform. Output will stream here. Pressing Ctrl-C
will cancel the remote apply if it's still pending. If the apply started it
will stop streaming the logs, but will not stop the apply running remotely.

Preparing the remote apply...

To view this run in a browser, visit:
https://app.terraform.io/app/gigapenguins/org/runs/run-2Q41hQniDnma8qeo

Waiting for the plan to start...

Terraform v1.9.8
on linux_amd64
Initializing plugins and modules...
data.tfe_organization.this: Refreshing...
module.org_account.data.tls_certificate.terraform_cloud: Refreshing...
tfe_workspace.this["apps-stg"]: Refreshing state... [id=ws-8QnkL9QyWRZsuVPL]
tfe_workspace.this["infra-dev"]: Refreshing state... [id=ws-xRZuMgPctMHZWzTF]
tfe_workspace.this["apps-tests"]: Refreshing state... [id=ws-A817FY22aRN8F2q3]
tfe_workspace.this["apps-prod"]: Refreshing state... [id=ws-z2GDCfQ8KNth71f3]
tfe_workspace.this["org"]: Refreshing state... [id=ws-ZUQRyQJbsni3vKja]
tfe_workspace.this["apps-dev"]: Refreshing state... [id=ws-7DDHR2xaJudw8RM8]
tfe_workspace.this["infra-prod"]: Refreshing state... [id=ws-HSBkfvVTf5e2vzPU]
module.org_account.data.tls_certificate.terraform_cloud: Refresh complete after 0s [id=ebb6b5e1bae10fcd4125dc26813af52dcd4695a9]
tfe_workspace.this["infra-tests"]: Refreshing state... [id=ws-gPXmGrk9qNnTucSd]
data.tfe_organization.this: Refresh complete after 0s [id=org-VcTS3LLWgkbGbM5z]
module.org_account.aws_s3_account_public_access_block.this: Refreshing state... [id=491085405411]
module.org_account.data.aws_iam_policy.administrator_access: Refreshing...
module.org_account.aws_iam_account_alias.alias: Refreshing state... [id=gigapenguins]
module.org_account.aws_iam_openid_connect_provider.terraform_cloud: Refreshing state... [id=arn:aws:iam::491085405411:oidc-provider/app.terraform.io]
module.org_account.data.aws_iam_policy.administrator_access: Refresh complete after 0s [id=arn:aws:iam::aws:policy/AdministratorAccess]
module.org_account.aws_iam_role.terraform_cloud: Refreshing state... [id=terraform_cloud]
tfe_workspace.this["org"]: Drift detected (update)
╷
│ Warning: Value for undeclared variable
│
│ The root module does not declare a variable named "TFE_TOKEN" but a value
│ was found in file
│ "/home/tfc-agent/.tfc-agent/component/terraform/runs/run-2Q41hQniDnma8qeo/terraform.tfvars".
│ If you meant to use this value, add a "variable" block to the
│ configuration.
│
│ To silence these warnings, use TF_VAR_... environment variables to provide
│ certain "global" settings to all configurations in your organization. To
│ reduce the verbosity of these warnings, use the -compact-warnings option.
╵

Note: Objects have changed outside of Terraform

Terraform detected the following changes made outside of Terraform since the last "terraform apply" which may have affected this plan:

  # tfe_workspace.this["org"] has changed
  ~ resource "tfe_workspace" "this" {
        id                            = "ws-ZUQRyQJbsni3vKja"
        name                          = "org"
      ~ resource_count                = 77 -> 15
        # (26 unchanged attributes hidden)
    }


Unless you have made equivalent changes to your configuration, or ignored the relevant attributes using ignore_changes, the following plan may include actions to undo or respond to these changes.

─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create
  ~ update in-place

Terraform will perform the following actions:

  # tfe_organization_membership.this["[email protected]"] will be created
  + resource "tfe_organization_membership" "this" {
      + email        = "[email protected]"
      + id           = (known after apply)
      + organization = "gigapenguins"
      + user_id      = (known after apply)
      + username     = (known after apply)
    }

  # tfe_project.this["apps"] will be created
  + resource "tfe_project" "this" {
      + id           = (known after apply)
      + name         = "apps"
      + organization = "gigapenguins"
        # (1 unchanged attribute hidden)
    }

  # tfe_project.this["infra"] will be created
  + resource "tfe_project" "this" {
      + id           = (known after apply)
      + name         = "infra"
      + organization = "gigapenguins"
        # (1 unchanged attribute hidden)
    }

  # tfe_project.this["org"] will be created
  + resource "tfe_project" "this" {
      + id           = (known after apply)
      + name         = "org"
      + organization = "gigapenguins"
        # (1 unchanged attribute hidden)
    }

  # tfe_project_variable_set.project["apps"] will be created
  + resource "tfe_project_variable_set" "project" {
      + id              = (known after apply)
      + project_id      = (known after apply)
      + variable_set_id = (known after apply)
    }

  # tfe_project_variable_set.project["infra"] will be created
  + resource "tfe_project_variable_set" "project" {
      + id              = (known after apply)
      + project_id      = (known after apply)
      + variable_set_id = (known after apply)
    }

  # tfe_project_variable_set.project["org"] will be created
  + resource "tfe_project_variable_set" "project" {
      + id              = (known after apply)
      + project_id      = (known after apply)
      + variable_set_id = (known after apply)
    }

  # tfe_team.owners will be created
  + resource "tfe_team" "owners" {
      + id           = (known after apply)
      + name         = "owners"
      + organization = (known after apply)
      + visibility   = "secret"

      + organization_access (known after apply)
    }

  # tfe_team_organization_member.owners["[email protected]"] will be created
  + resource "tfe_team_organization_member" "owners" {
      + id                         = (known after apply)
      + organization_membership_id = (known after apply)
      + team_id                    = (known after apply)
    }

  # tfe_variable.argocd_admin_password["infra-dev"] will be created
  + resource "tfe_variable" "argocd_admin_password" {
      + category     = "terraform"
      + description  = "Sets the initial admin password for ArgoCD"
      + hcl          = false
      + id           = (known after apply)
      + key          = "argocd_admin_password"
      + sensitive    = true
      + value        = (sensitive value)
      + workspace_id = "ws-xRZuMgPctMHZWzTF"
    }

  # tfe_variable.argocd_admin_password["infra-prod"] will be created
  + resource "tfe_variable" "argocd_admin_password" {
      + category     = "terraform"
      + description  = "Sets the initial admin password for ArgoCD"
      + hcl          = false
      + id           = (known after apply)
      + key          = "argocd_admin_password"
      + sensitive    = true
      + value        = (sensitive value)
      + workspace_id = "ws-HSBkfvVTf5e2vzPU"
    }

  # tfe_variable.argocd_admin_password["infra-tests"] will be created
  + resource "tfe_variable" "argocd_admin_password" {
      + category     = "terraform"
      + description  = "Sets the initial admin password for ArgoCD"
      + hcl          = false
      + id           = (known after apply)
      + key          = "argocd_admin_password"
      + sensitive    = true
      + value        = (sensitive value)
      + workspace_id = "ws-gPXmGrk9qNnTucSd"
    }

  # tfe_variable.datadog_api_key["apps-dev"] will be created
  + resource "tfe_variable" "datadog_api_key" {
      + category     = "terraform"
      + description  = "Datadog API key."
      + hcl          = false
      + id           = (known after apply)
      + key          = "datadog_api_key"
      + sensitive    = true
      + value        = (sensitive value)
      + workspace_id = "ws-7DDHR2xaJudw8RM8"
    }

  # tfe_variable.datadog_api_key["apps-prod"] will be created
  + resource "tfe_variable" "datadog_api_key" {
      + category     = "terraform"
      + description  = "Datadog API key."
      + hcl          = false
      + id           = (known after apply)
      + key          = "datadog_api_key"
      + sensitive    = true
      + value        = (sensitive value)
      + workspace_id = "ws-z2GDCfQ8KNth71f3"
    }

  # tfe_variable.datadog_api_key["apps-stg"] will be created
  + resource "tfe_variable" "datadog_api_key" {
      + category     = "terraform"
      + description  = "Datadog API key."
      + hcl          = false
      + id           = (known after apply)
      + key          = "datadog_api_key"
      + sensitive    = true
      + value        = (sensitive value)
      + workspace_id = "ws-8QnkL9QyWRZsuVPL"
    }

  # tfe_variable.datadog_api_key["apps-tests"] will be created
  + resource "tfe_variable" "datadog_api_key" {
      + category     = "terraform"
      + description  = "Datadog API key."
      + hcl          = false
      + id           = (known after apply)
      + key          = "datadog_api_key"
      + sensitive    = true
      + value        = (sensitive value)
      + workspace_id = "ws-A817FY22aRN8F2q3"
    }

  # tfe_variable.datadog_api_key["infra-dev"] will be created
  + resource "tfe_variable" "datadog_api_key" {
      + category     = "terraform"
      + description  = "Datadog API key."
      + hcl          = false
      + id           = (known after apply)
      + key          = "datadog_api_key"
      + sensitive    = true
      + value        = (sensitive value)
      + workspace_id = "ws-xRZuMgPctMHZWzTF"
    }

  # tfe_variable.datadog_api_key["infra-prod"] will be created
  + resource "tfe_variable" "datadog_api_key" {
      + category     = "terraform"
      + description  = "Datadog API key."
      + hcl          = false
      + id           = (known after apply)
      + key          = "datadog_api_key"
      + sensitive    = true
      + value        = (sensitive value)
      + workspace_id = "ws-HSBkfvVTf5e2vzPU"
    }

  # tfe_variable.datadog_api_key["infra-tests"] will be created
  + resource "tfe_variable" "datadog_api_key" {
      + category     = "terraform"
      + description  = "Datadog API key."
      + hcl          = false
      + id           = (known after apply)
      + key          = "datadog_api_key"
      + sensitive    = true
      + value        = (sensitive value)
      + workspace_id = "ws-gPXmGrk9qNnTucSd"
    }

  # tfe_variable.datadog_api_key["org"] will be created
  + resource "tfe_variable" "datadog_api_key" {
      + category     = "terraform"
      + description  = "Datadog API key."
      + hcl          = false
      + id           = (known after apply)
      + key          = "datadog_api_key"
      + sensitive    = true
      + value        = (sensitive value)
      + workspace_id = "ws-ZUQRyQJbsni3vKja"
    }

  # tfe_variable.datadog_app_key["apps-dev"] will be created
  + resource "tfe_variable" "datadog_app_key" {
      + category     = "terraform"
      + description  = "Datadog App key."
      + hcl          = false
      + id           = (known after apply)
      + key          = "datadog_app_key"
      + sensitive    = true
      + value        = (sensitive value)
      + workspace_id = "ws-7DDHR2xaJudw8RM8"
    }

  # tfe_variable.datadog_app_key["apps-prod"] will be created
  + resource "tfe_variable" "datadog_app_key" {
      + category     = "terraform"
      + description  = "Datadog App key."
      + hcl          = false
      + id           = (known after apply)
      + key          = "datadog_app_key"
      + sensitive    = true
      + value        = (sensitive value)
      + workspace_id = "ws-z2GDCfQ8KNth71f3"
    }

  # tfe_variable.datadog_app_key["apps-stg"] will be created
  + resource "tfe_variable" "datadog_app_key" {
      + category     = "terraform"
      + description  = "Datadog App key."
      + hcl          = false
      + id           = (known after apply)
      + key          = "datadog_app_key"
      + sensitive    = true
      + value        = (sensitive value)
      + workspace_id = "ws-8QnkL9QyWRZsuVPL"
    }

  # tfe_variable.datadog_app_key["apps-tests"] will be created
  + resource "tfe_variable" "datadog_app_key" {
      + category     = "terraform"
      + description  = "Datadog App key."
      + hcl          = false
      + id           = (known after apply)
      + key          = "datadog_app_key"
      + sensitive    = true
      + value        = (sensitive value)
      + workspace_id = "ws-A817FY22aRN8F2q3"
    }

  # tfe_variable.datadog_app_key["infra-dev"] will be created
  + resource "tfe_variable" "datadog_app_key" {
      + category     = "terraform"
      + description  = "Datadog App key."
      + hcl          = false
      + id           = (known after apply)
      + key          = "datadog_app_key"
      + sensitive    = true
      + value        = (sensitive value)
      + workspace_id = "ws-xRZuMgPctMHZWzTF"
    }

  # tfe_variable.datadog_app_key["infra-prod"] will be created
  + resource "tfe_variable" "datadog_app_key" {
      + category     = "terraform"
      + description  = "Datadog App key."
      + hcl          = false
      + id           = (known after apply)
      + key          = "datadog_app_key"
      + sensitive    = true
      + value        = (sensitive value)
      + workspace_id = "ws-HSBkfvVTf5e2vzPU"
    }

  # tfe_variable.datadog_app_key["infra-tests"] will be created
  + resource "tfe_variable" "datadog_app_key" {
      + category     = "terraform"
      + description  = "Datadog App key."
      + hcl          = false
      + id           = (known after apply)
      + key          = "datadog_app_key"
      + sensitive    = true
      + value        = (sensitive value)
      + workspace_id = "ws-gPXmGrk9qNnTucSd"
    }

  # tfe_variable.datadog_app_key["org"] will be created
  + resource "tfe_variable" "datadog_app_key" {
      + category     = "terraform"
      + description  = "Datadog App key."
      + hcl          = false
      + id           = (known after apply)
      + key          = "datadog_app_key"
      + sensitive    = true
      + value        = (sensitive value)
      + workspace_id = "ws-ZUQRyQJbsni3vKja"
    }

  # tfe_variable.environment["dev"] will be created
  + resource "tfe_variable" "environment" {
      + category        = "terraform"
      + description     = "Environment name"
      + hcl             = false
      + id              = (known after apply)
      + key             = "environment"
      + readable_value  = "dev"
      + sensitive       = false
      + value           = (sensitive value)
      + variable_set_id = (known after apply)
    }

  # tfe_variable.environment["prod"] will be created
  + resource "tfe_variable" "environment" {
      + category        = "terraform"
      + description     = "Environment name"
      + hcl             = false
      + id              = (known after apply)
      + key             = "environment"
      + readable_value  = "prod"
      + sensitive       = false
      + value           = (sensitive value)
      + variable_set_id = (known after apply)
    }

  # tfe_variable.environment["stg"] will be created
  + resource "tfe_variable" "environment" {
      + category        = "terraform"
      + description     = "Environment name"
      + hcl             = false
      + id              = (known after apply)
      + key             = "environment"
      + readable_value  = "stg"
      + sensitive       = false
      + value           = (sensitive value)
      + variable_set_id = (known after apply)
    }

  # tfe_variable.environment["tests"] will be created
  + resource "tfe_variable" "environment" {
      + category        = "terraform"
      + description     = "Environment name"
      + hcl             = false
      + id              = (known after apply)
      + key             = "environment"
      + readable_value  = "tests"
      + sensitive       = false
      + value           = (sensitive value)
      + variable_set_id = (known after apply)
    }

  # tfe_variable.github_argocd_token["infra-dev"] will be created
  + resource "tfe_variable" "github_argocd_token" {
      + category     = "terraform"
      + description  = "Fine Grained token for ArgoCD to access the GitHub repositories"
      + hcl          = false
      + id           = (known after apply)
      + key          = "github_argocd_token"
      + sensitive    = true
      + value        = (sensitive value)
      + workspace_id = "ws-xRZuMgPctMHZWzTF"
    }

  # tfe_variable.github_argocd_token["infra-prod"] will be created
  + resource "tfe_variable" "github_argocd_token" {
      + category     = "terraform"
      + description  = "Fine Grained token for ArgoCD to access the GitHub repositories"
      + hcl          = false
      + id           = (known after apply)
      + key          = "github_argocd_token"
      + sensitive    = true
      + value        = (sensitive value)
      + workspace_id = "ws-HSBkfvVTf5e2vzPU"
    }

  # tfe_variable.github_argocd_token["infra-tests"] will be created
  + resource "tfe_variable" "github_argocd_token" {
      + category     = "terraform"
      + description  = "Fine Grained token for ArgoCD to access the GitHub repositories"
      + hcl          = false
      + id           = (known after apply)
      + key          = "github_argocd_token"
      + sensitive    = true
      + value        = (sensitive value)
      + workspace_id = "ws-gPXmGrk9qNnTucSd"
    }

  # tfe_variable.github_oauth_app_client_id["infra-dev"] will be created
  + resource "tfe_variable" "github_oauth_app_client_id" {
      + category     = "terraform"
      + description  = "For ArgoCD users to authenticate with GitHub"
      + hcl          = false
      + id           = (known after apply)
      + key          = "github_oauth_app_client_id"
      + sensitive    = true
      + value        = (sensitive value)
      + workspace_id = "ws-xRZuMgPctMHZWzTF"
    }

  # tfe_variable.github_oauth_app_client_id["infra-prod"] will be created
  + resource "tfe_variable" "github_oauth_app_client_id" {
      + category     = "terraform"
      + description  = "For ArgoCD users to authenticate with GitHub"
      + hcl          = false
      + id           = (known after apply)
      + key          = "github_oauth_app_client_id"
      + sensitive    = true
      + value        = (sensitive value)
      + workspace_id = "ws-HSBkfvVTf5e2vzPU"
    }

  # tfe_variable.github_oauth_app_client_id["infra-tests"] will be created
  + resource "tfe_variable" "github_oauth_app_client_id" {
      + category     = "terraform"
      + description  = "For ArgoCD users to authenticate with GitHub"
      + hcl          = false
      + id           = (known after apply)
      + key          = "github_oauth_app_client_id"
      + sensitive    = true
      + value        = (sensitive value)
      + workspace_id = "ws-gPXmGrk9qNnTucSd"
    }

  # tfe_variable.github_oauth_app_client_secret["infra-dev"] will be created
  + resource "tfe_variable" "github_oauth_app_client_secret" {
      + category     = "terraform"
      + description  = "For ArgoCD users to authenticate with GitHub"
      + hcl          = false
      + id           = (known after apply)
      + key          = "github_oauth_app_client_secret"
      + sensitive    = true
      + value        = (sensitive value)
      + workspace_id = "ws-xRZuMgPctMHZWzTF"
    }

  # tfe_variable.github_oauth_app_client_secret["infra-prod"] will be created
  + resource "tfe_variable" "github_oauth_app_client_secret" {
      + category     = "terraform"
      + description  = "For ArgoCD users to authenticate with GitHub"
      + hcl          = false
      + id           = (known after apply)
      + key          = "github_oauth_app_client_secret"
      + sensitive    = true
      + value        = (sensitive value)
      + workspace_id = "ws-HSBkfvVTf5e2vzPU"
    }

  # tfe_variable.github_oauth_app_client_secret["infra-tests"] will be created
  + resource "tfe_variable" "github_oauth_app_client_secret" {
      + category     = "terraform"
      + description  = "For ArgoCD users to authenticate with GitHub"
      + hcl          = false
      + id           = (known after apply)
      + key          = "github_oauth_app_client_secret"
      + sensitive    = true
      + value        = (sensitive value)
      + workspace_id = "ws-gPXmGrk9qNnTucSd"
    }

  # tfe_variable.github_token will be created
  + resource "tfe_variable" "github_token" {
      + category     = "terraform"
      + description  = "Fine-grained access token with full permissions for GitHub Terraform provider."
      + hcl          = false
      + id           = (known after apply)
      + key          = "github_token"
      + sensitive    = true
      + value        = (sensitive value)
      + workspace_id = "ws-ZUQRyQJbsni3vKja"
    }

  # tfe_variable.organization_name will be created
  + resource "tfe_variable" "organization_name" {
      + category        = "terraform"
      + description     = "The organization name"
      + hcl             = false
      + id              = (known after apply)
      + key             = "organization_name"
      + readable_value  = "gigapenguins"
      + sensitive       = false
      + value           = (sensitive value)
      + variable_set_id = (known after apply)
    }

  # tfe_variable.tfc_aws_provider_auth will be created
  + resource "tfe_variable" "tfc_aws_provider_auth" {
      + category        = "env"
      + description     = "Enables authentication to AWS with TFE's OIDC token"
      + hcl             = false
      + id              = (known after apply)
      + key             = "TFC_AWS_PROVIDER_AUTH"
      + readable_value  = "true"
      + sensitive       = false
      + value           = (sensitive value)
      + variable_set_id = (known after apply)
    }

  # tfe_variable.tfe_token will be created
  + resource "tfe_variable" "tfe_token" {
      + category     = "terraform"
      + description  = "This token is to being passed to GHA env secret variable to authenticate GH runner to TFE Cloud. "
      + hcl          = false
      + id           = (known after apply)
      + key          = "tfe_token"
      + sensitive    = true
      + value        = (sensitive value)
      + workspace_id = "ws-ZUQRyQJbsni3vKja"
    }

  # tfe_variable_set.environment["dev"] will be created
  + resource "tfe_variable_set" "environment" {
      + description   = "Variables for dev environment."
      + global        = false
      + id            = (known after apply)
      + name          = "Environment dev"
      + organization  = "gigapenguins"
      + priority      = false
      + workspace_ids = (known after apply)
    }

  # tfe_variable_set.environment["prod"] will be created
  + resource "tfe_variable_set" "environment" {
      + description   = "Variables for prod environment."
      + global        = false
      + id            = (known after apply)
      + name          = "Environment prod"
      + organization  = "gigapenguins"
      + priority      = false
      + workspace_ids = (known after apply)
    }

  # tfe_variable_set.environment["stg"] will be created
  + resource "tfe_variable_set" "environment" {
      + description   = "Variables for stg environment."
      + global        = false
      + id            = (known after apply)
      + name          = "Environment stg"
      + organization  = "gigapenguins"
      + priority      = false
      + workspace_ids = (known after apply)
    }

  # tfe_variable_set.environment["tests"] will be created
  + resource "tfe_variable_set" "environment" {
      + description   = "Variables for tests environment."
      + global        = false
      + id            = (known after apply)
      + name          = "Environment tests"
      + organization  = "gigapenguins"
      + priority      = false
      + workspace_ids = (known after apply)
    }

  # tfe_variable_set.global will be created
  + resource "tfe_variable_set" "global" {
      + description   = "Global env vars"
      + global        = true
      + id            = (known after apply)
      + name          = "global"
      + organization  = "gigapenguins"
      + priority      = false
      + workspace_ids = (known after apply)
    }

  # tfe_variable_set.project["apps"] will be created
  + resource "tfe_variable_set" "project" {
      + description   = "Variables for apps project."
      + global        = false
      + id            = (known after apply)
      + name          = "Project apps"
      + organization  = "gigapenguins"
      + priority      = false
      + workspace_ids = (known after apply)
    }

  # tfe_variable_set.project["infra"] will be created
  + resource "tfe_variable_set" "project" {
      + description   = "Variables for infra project."
      + global        = false
      + id            = (known after apply)
      + name          = "Project infra"
      + organization  = "gigapenguins"
      + priority      = false
      + workspace_ids = (known after apply)
    }

  # tfe_variable_set.project["org"] will be created
  + resource "tfe_variable_set" "project" {
      + description   = "Variables for org project."
      + global        = false
      + id            = (known after apply)
      + name          = "Project org"
      + organization  = "gigapenguins"
      + priority      = false
      + workspace_ids = (known after apply)
    }

  # tfe_workspace.this["apps-dev"] will be updated in-place
  ~ resource "tfe_workspace" "this" {
        id                            = "ws-7DDHR2xaJudw8RM8"
        name                          = "apps-dev"
      ~ project_id                    = "prj-vbQToTYnRJJqq8sz" -> (known after apply)
        # (26 unchanged attributes hidden)
    }

  # tfe_workspace.this["apps-prod"] will be updated in-place
  ~ resource "tfe_workspace" "this" {
        id                            = "ws-z2GDCfQ8KNth71f3"
        name                          = "apps-prod"
      ~ project_id                    = "prj-vbQToTYnRJJqq8sz" -> (known after apply)
        # (26 unchanged attributes hidden)
    }

  # tfe_workspace.this["apps-stg"] will be updated in-place
  ~ resource "tfe_workspace" "this" {
        id                            = "ws-8QnkL9QyWRZsuVPL"
        name                          = "apps-stg"
      ~ project_id                    = "prj-vbQToTYnRJJqq8sz" -> (known after apply)
        # (26 unchanged attributes hidden)
    }

  # tfe_workspace.this["apps-tests"] will be updated in-place
  ~ resource "tfe_workspace" "this" {
        id                            = "ws-A817FY22aRN8F2q3"
        name                          = "apps-tests"
      ~ project_id                    = "prj-vbQToTYnRJJqq8sz" -> (known after apply)
        # (26 unchanged attributes hidden)
    }

  # tfe_workspace.this["infra-dev"] will be updated in-place
  ~ resource "tfe_workspace" "this" {
        id                            = "ws-xRZuMgPctMHZWzTF"
        name                          = "infra-dev"
      ~ project_id                    = "prj-V4HqcR4efFuk7UVK" -> (known after apply)
        # (26 unchanged attributes hidden)
    }

  # tfe_workspace.this["infra-prod"] will be updated in-place
  ~ resource "tfe_workspace" "this" {
        id                            = "ws-HSBkfvVTf5e2vzPU"
        name                          = "infra-prod"
      ~ project_id                    = "prj-V4HqcR4efFuk7UVK" -> (known after apply)
        # (26 unchanged attributes hidden)
    }

  # tfe_workspace.this["infra-tests"] will be updated in-place
  ~ resource "tfe_workspace" "this" {
        id                            = "ws-gPXmGrk9qNnTucSd"
        name                          = "infra-tests"
      ~ project_id                    = "prj-V4HqcR4efFuk7UVK" -> (known after apply)
        # (26 unchanged attributes hidden)
    }

  # tfe_workspace.this["org"] will be updated in-place
  ~ resource "tfe_workspace" "this" {
        id                            = "ws-ZUQRyQJbsni3vKja"
        name                          = "org"
      ~ project_id                    = "prj-hDV8qzbnNLHYTxYW" -> (known after apply)
        # (26 unchanged attributes hidden)
    }

  # tfe_workspace_variable_set.environment["apps-dev"] will be created
  + resource "tfe_workspace_variable_set" "environment" {
      + id              = (known after apply)
      + variable_set_id = (known after apply)
      + workspace_id    = "ws-7DDHR2xaJudw8RM8"
    }

  # tfe_workspace_variable_set.environment["apps-prod"] will be created
  + resource "tfe_workspace_variable_set" "environment" {
      + id              = (known after apply)
      + variable_set_id = (known after apply)
      + workspace_id    = "ws-z2GDCfQ8KNth71f3"
    }

  # tfe_workspace_variable_set.environment["apps-stg"] will be created
  + resource "tfe_workspace_variable_set" "environment" {
      + id              = (known after apply)
      + variable_set_id = (known after apply)
      + workspace_id    = "ws-8QnkL9QyWRZsuVPL"
    }

  # tfe_workspace_variable_set.environment["apps-tests"] will be created
  + resource "tfe_workspace_variable_set" "environment" {
      + id              = (known after apply)
      + variable_set_id = (known after apply)
      + workspace_id    = "ws-A817FY22aRN8F2q3"
    }

  # tfe_workspace_variable_set.environment["infra-dev"] will be created
  + resource "tfe_workspace_variable_set" "environment" {
      + id              = (known after apply)
      + variable_set_id = (known after apply)
      + workspace_id    = "ws-xRZuMgPctMHZWzTF"
    }

  # tfe_workspace_variable_set.environment["infra-prod"] will be created
  + resource "tfe_workspace_variable_set" "environment" {
      + id              = (known after apply)
      + variable_set_id = (known after apply)
      + workspace_id    = "ws-HSBkfvVTf5e2vzPU"
    }

  # tfe_workspace_variable_set.environment["infra-tests"] will be created
  + resource "tfe_workspace_variable_set" "environment" {
      + id              = (known after apply)
      + variable_set_id = (known after apply)
      + workspace_id    = "ws-gPXmGrk9qNnTucSd"
    }

  # tfe_workspace_variable_set.environment["org"] will be created
  + resource "tfe_workspace_variable_set" "environment" {
      + id              = (known after apply)
      + variable_set_id = (known after apply)
      + workspace_id    = "ws-ZUQRyQJbsni3vKja"
    }

  # module.org_account.aws_iam_role.terraform_cloud will be updated in-place
  ~ resource "aws_iam_role" "terraform_cloud" {
        id                    = "terraform_cloud"
        name                  = "terraform_cloud"
      ~ tags                  = {
          - "TF-workspace" = "default" -> null
        }
      ~ tags_all              = {
          ~ "TF-workspace" = "default" -> "org"
            # (2 unchanged elements hidden)
        }
        # (11 unchanged attributes hidden)
    }

  # module.org_account.tfe_variable.tfc_aws_run_role_arn will be created
  + resource "tfe_variable" "tfc_aws_run_role_arn" {
      + category       = "env"
      + description    = "AWS account to authenticate to"
      + hcl            = false
      + id             = (known after apply)
      + key            = "TFC_AWS_RUN_ROLE_ARN"
      + readable_value = "arn:aws:iam::491085405411:role/terraform_cloud"
      + sensitive      = false
      + value          = (sensitive value)
      + workspace_id   = "ws-ZUQRyQJbsni3vKja"
    }

Plan: 62 to add, 9 to change, 0 to destroy.

Do you want to perform these actions in workspace "org"?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

tfe_variable_set.environment["dev"]: Creating...
tfe_team.owners: Creating...
tfe_variable_set.environment["prod"]: Creating...
tfe_project.this["infra"]: Creating...
tfe_organization_membership.this["[email protected]"]: Creating...
tfe_variable_set.global: Creating...
tfe_variable_set.project["infra"]: Creating...
tfe_project.this["apps"]: Creating...
tfe_variable_set.environment["tests"]: Creating...
tfe_variable_set.project["apps"]: Creating...
tfe_variable_set.environment["stg"]: Creating...
tfe_project.this["org"]: Creating...
tfe_variable_set.project["org"]: Creating...
╷
│ Error: Error creating the new project org: invalid attribute
│
│ Name has already been taken
│
│   with tfe_project.this["org"],
│   on tfe.tf line 7, in resource "tfe_project" "this":
│    7: resource "tfe_project" "this" {
│
╵
╷
│ Error: Error creating variable set global, for organization: gigapenguins: invalid attribute
│
│ Name has already been taken
│
│   with tfe_variable_set.global,
│   on tfe.tf line 24, in resource "tfe_variable_set" "global":
│   24: resource "tfe_variable_set" "global" {
│
╵
╷
│ Error: Error creating the new project apps: invalid attribute
│
│ Name has already been taken
│
│   with tfe_project.this["apps"],
│   on tfe.tf line 7, in resource "tfe_project" "this":
│    7: resource "tfe_project" "this" {
│
╵
╷
│ Error: Error creating variable set Environment prod, for organization: gigapenguins: invalid attribute
│
│ Name has already been taken
│
│   with tfe_variable_set.environment["prod"],
│   on tfe.tf line 85, in resource "tfe_variable_set" "environment":
│   85: resource "tfe_variable_set" "environment" {
│
╵
╷
│ Error: Error creating variable set Environment dev, for organization: gigapenguins: invalid attribute
│
│ Name has already been taken
│
│   with tfe_variable_set.environment["dev"],
│   on tfe.tf line 85, in resource "tfe_variable_set" "environment":
│   85: resource "tfe_variable_set" "environment" {
│
╵
╷
│ Error: Error creating variable set Project infra, for organization: gigapenguins: invalid attribute
│
│ Name has already been taken
│
│   with tfe_variable_set.project["infra"],
│   on tfe.tf line 73, in resource "tfe_variable_set" "project":
│   73: resource "tfe_variable_set" "project" {
│
╵
╷
│ Error: Error creating variable set Environment tests, for organization: gigapenguins: invalid attribute
│
│ Name has already been taken
│
│   with tfe_variable_set.environment["tests"],
│   on tfe.tf line 85, in resource "tfe_variable_set" "environment":
│   85: resource "tfe_variable_set" "environment" {
│
╵
╷
│ Error: Error creating team owners for organization gigapenguins: invalid attribute
│
│ Name has already been taken
│
│   with tfe_team.owners,
│   on tfe-access.tf line 12, in resource "tfe_team" "owners":
│   12: resource "tfe_team" "owners" { # todo / try data instaed of resource becase this team is default
│
╵
╷
│ Error: Error creating variable set Project org, for organization: gigapenguins: invalid attribute
│
│ Name has already been taken
│
│   with tfe_variable_set.project["org"],
│   on tfe.tf line 73, in resource "tfe_variable_set" "project":
│   73: resource "tfe_variable_set" "project" {
│
╵
╷
│ Error: Error creating variable set Environment stg, for organization: gigapenguins: invalid attribute
│
│ Name has already been taken
│
│   with tfe_variable_set.environment["stg"],
│   on tfe.tf line 85, in resource "tfe_variable_set" "environment":
│   85: resource "tfe_variable_set" "environment" {
│
╵
╷
│ Error: Error creating the new project infra: invalid attribute
│
│ Name has already been taken
│
│   with tfe_project.this["infra"],
│   on tfe.tf line 7, in resource "tfe_project" "this":
│    7: resource "tfe_project" "this" {
│
╵
╷
│ Error: Error creating membership [email protected] for organization gigapenguins: invalid attribute
│
│ User is already an organization member
│
│   with tfe_organization_membership.this["[email protected]"],
│   on tfe-access.tf line 16, in resource "tfe_organization_membership" "this":
│   16: resource "tfe_organization_membership" "this" {
│
╵
╷
│ Error: Error creating variable set Project apps, for organization: gigapenguins: invalid attribute
│
│ Name has already been taken
│
│   with tfe_variable_set.project["apps"],
│   on tfe.tf line 73, in resource "tfe_variable_set" "project":
│   73: resource "tfe_variable_set" "project" {
│

Operation failed: failed running terraform apply (exit 1)
Desktop/gigapenguins/terraform-org/terraform % ⭐️ terraform state list
data.tfe_organization.this
tfe_workspace.this["apps-dev"]
tfe_workspace.this["apps-prod"]
tfe_workspace.this["apps-stg"]
tfe_workspace.this["apps-tests"]
tfe_workspace.this["infra-dev"]
tfe_workspace.this["infra-prod"]
tfe_workspace.this["infra-tests"]
tfe_workspace.this["org"]
module.org_account.data.aws_iam_policy.administrator_access
module.org_account.data.tls_certificate.terraform_cloud
module.org_account.aws_iam_account_alias.alias
module.org_account.aws_iam_openid_connect_provider.terraform_cloud
module.org_account.aws_iam_role.terraform_cloud
module.org_account.aws_s3_account_public_access_block.this

Expected Behavior

Empty plan or Error

Actual Behavior

Terraform tries to create resources which already exist and are already in state then fails.

Steps to Reproduce

  1. terraform init with no remote backend.
  2. Create tfe resources. And forget to create tfe_variable TFE_TOKEN env var for the workspace.
  3. Uncomment tfe backend.
  4. Run init, "yes" to migrate local backend.
  5. Run terraform plan and see an inconsistent plan - tries to create resources which already exist.
  6. Try terraform state list all resources are in place
  7. Get errors "resource with this name already exist",
  8. Try terraform state list and see that only workspaces left in state, other resources disappeared

Additional Context

I was happy to find out that migration process leaves a local terraform.tfstate.backup.

References

No response

Generative AI / LLM assisted development?

No response
@magzim21 magzim21 added bug new new issue not yet triaged labels Dec 21, 2024
@magzim21 magzim21 changed the title State migration to Terraform Cloud does now work correctly Incorrect plan when TFE_TOKEN env var is not set on runner Dec 21, 2024
@magzim21 magzim21 changed the title Incorrect plan when TFE_TOKEN env var is not set on runner Incorrect plan when TFE_TOKEN env var is not set in TFE workspace Dec 21, 2024
@magzim21 magzim21 changed the title Incorrect plan when TFE_TOKEN env var is not set in TFE workspace Incorrect plan on tfe_ resources when TFE_TOKEN env var is not set in TFE workspace Dec 21, 2024
@crw
Copy link
Contributor

crw commented Jan 6, 2025

Thanks for this report!

@liamcervante liamcervante added the cloud Related to Terraform Cloud's integration with Terraform label Jan 7, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug cloud Related to Terraform Cloud's integration with Terraform new new issue not yet triaged
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@crw @magzim21 @liamcervante