Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

config: do_token is not a valid output for module creds #9134

Closed
jgartrel opened this issue Sep 29, 2016 · 6 comments · Fixed by #10282
Closed

config: do_token is not a valid output for module creds #9134

jgartrel opened this issue Sep 29, 2016 · 6 comments · Fixed by #10282

Comments

@jgartrel
Copy link

jgartrel commented Sep 29, 2016

Hello,

We currently receive an error while running terraform get --update when a specific module is included. It looks like the additional validation added to 0.7.3 has impacted our use case a bit. Could this validation be done at runtime of 'plan' or 'apply' instead of during the 'get' phase?

I expect that the terraform get --update command would just fetch the dependent modules and setup its local module cache, as it has done in the past. Any validations should be done at runtime as a prerequisite to 'plan' or 'apply'.

Specifically the error we see is:

  • Error loading Terraform: module root: provider config 'digitalocean': do_token is not a valid output for module creds

Important Factoids

We are using a module to store shared and encrypted credentials for our DevOps team, (see tf_af_creds). Currently, using modules are the easiest way to store common secrets (at least until the Vault data provider appears in Terraform). Our use case may be "odd" but certainly not without precedent. Many of the terraform-community-modules require the invocation of a make step prior to usage, (see tf_aws_ubuntu_ami). Looking through all of the community modules, it seems to be evolving into a design pattern with some modules defining "noop" makefiles just to match the pattern, (see tf_aws_puppet).

Our situation is unique in that we are "building" output.tf, whereas most others do not. However, it is quite similar, in that the module is "built" post terraform get. Please see the README.md in tf_af_creds for more detailed information on the module itself. The example code below should allow you to duplicate the issue. I am a bit concerned about sharing our credentials repo publicly, but that was what it was designed to allow (so this will be a good test).

Terraform Version

Terraform v0.7.4 (confirmed error)
Terraform v0.7.3 (confirmed error)
Terraform v0.7.2 (does not throw error)

Affected Resource(s)

Please list the resources as a list, for example:

  • core (all modules)
  • digitalocean (tested)
  • aws_instance (tested)

Terraform Configuration Files

The below examples us our tf_af_creds module.

Using the DigitalOcean provider throws the error:

module "creds" {
    source = "git::ssh://git@github.com/jgartrel/tf_af_creds.git"
}

provider "digitalocean" {
  token = "${module.creds.do_token}"
}

Using the AWS provider also throws the error:

module "creds" {
    source = "git::ssh://git@github.com/jgartrel/tf_af_creds.git"
}

provider "aws" {
  region = "us-east-1"
}

resource "aws_instance" "node" {
  ami           = "ami-a3cbb0b4"
  instance_type = "m3.medium"
  key_name      = "${module.creds.do_key_name}"
  count         = "0"

  connection {
    user = "ubuntu"
    type = "ssh"
    key_file = "${module.creds.do_priv_key}"
    timeout = "2m"
  }
}

Debug Output

$ TF_LOG=debug ~/Downloads/terraform_0.7.3 get --update
2016/09/29 09:26:37 [INFO] Terraform version: 0.7.3  0dd7c657d6d60d2e7392b66ae6f74fb84582cab9
...
Get: git::ssh://git@github.com/jgartrel/tf_af_creds.git (update)
2016/09/29 09:26:39 [DEBUG] plugin: waiting for all plugin processes to complete...
Error loading Terraform: module root: provider config 'digitalocean': do_token is not a valid output for module creds

Expected Behavior

I expect that the terraform get --update command should exit without error. IMO it should just fetch the dependent modules as it has done in the past, and setup its local module cache. Any validations should be done at runtime as a prerequisite to 'plan' or 'apply'.

Actual Behavior

A validation was performed on the modules (and root code) BEFORE those modules were completely initialized, since the dependent module had an additional initialization step (make required)

Steps to Reproduce

Use the following steps to reproduce the issue:

  1. Create a 'main.tf' file using the following code:

    module "creds" {
        source = "git::ssh://git@github.com/jgartrel/tf_af_creds.git"
    }
    
    provider "digitalocean" {
      token = "${module.creds.do_token}"
    }
  2. Run: terraform get --update

References

This may be related to the following bugfix in 0.7.3:

@jgartrel
Copy link
Author

Could someone please look at this issue? It would be really nice if terraform would not do module validations until 'runtime' as a prerequisite to 'plan' or 'apply'.

@jgartrel
Copy link
Author

@mitchellh - Could you make a call on this ... It would be really nice if terraform would not do module validations until 'runtime' as a prerequisite to 'plan' or 'apply'.

@jgartrel
Copy link
Author

FWIW, this is not digitalocean bug it would happen with any module that "compiles" its *.tf files

@mitchellh
Copy link
Contributor

Agreed this is a core bug. We should do validation after loading all the modules, not before.

@mitchellh
Copy link
Contributor

Solved it! :) We were actually not parsing null characters properly.

@ghost
Copy link

ghost commented Apr 19, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@ghost ghost locked and limited conversation to collaborators Apr 19, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants