-
Notifications
You must be signed in to change notification settings - Fork 56
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
TerraformCloud private registry integration not working using terraformrc #217
Comments
Is this the right way to use terraform cloud as a backend? |
I switched to using Github as the source of the module while using terraform cloud workspaces as a backend. I passed the token credentials in a
|
I never tested terraform cloud integration with provider-terraform, but it looks like we need to propagate the token in some supported manner, e.g. https://developer.hashicorp.com/terraform/cli/config/config-file#environment-variable-credentials |
Thanks @ytsarev I managed to make it work by adding the token in the
|
Everything that is supported by the standard open source terraform CLI(current version included https://github.com/upbound/provider-terraform/blob/main/cluster/images/provider-terraform/Dockerfile#L6) , should be supported as well. I would investigate standard terraform issues like hashicorp/terraform#23076 (comment) to proceed. |
@ytsarev the PS: the workspace was already created on terraform cloud
I think this this comment is related to what you posted earlier but gives a bit more context. Next I tried using workspace ProviderConfig
Error Message
|
@ytsarev I tried to use a S3 bucket as the backend and it seems that the provider wasn't using the role I passed to the ProviderConfig
Provider / DeploymentRuntimeConfig
Yet I still get this ERROR
PS: IRSA works for |
I tried using the kuberenetes as a backend. Yet still got an error on assuming the needed role.
I validated that the ServiceAccount user is assigned to the right role-ARN
I checked the OIDC trust policy and it was valid, I also tried creating a resource using the
|
It feels like something is not right, the docs here mentioned that the process is similar to what we have in provider-aws. But none of the |
Have you verified that the AWS environment variables are set in the pod as a result of the annotation? |
@bobh66 They are
|
I tested older version It only worked after I passed a user token and used AWS s3 as a backend. This is not ideal in my case since the project that I'm working on uses IRSA and terraform cloud as a backend. ProviderConfig
|
it sounds like a problem with the Assume Role configuration - are you sure that the provider-terraform service account name is right? You might add "" to the end of the service account name in the AssumeRole definition so that any provider-terraform service account can assume the role. |
Yeah the name is right @bobh66, seems I figured it out. Looks like the issue was caused by the
|
I have seen problems with a role trying to assume itself - that used to be allowed by default but it was changed some time ago to require specific provisioning to allow it to work. Glad you got it working! |
Thank you @bobh66 I hope I get the same luck with the terraformCloud backend issue. |
More testing was done and I noticed that the workspace was creating a new workspace on other than the one I provided which matched the
I changed the value of the I was now left with a different error which was complaining about the absence of a state file in this backend.
I will be discussing this error in another issue. I will close this issue for the time being since the main problems (using IRSA, and TerraformCloud as a backend) were resolved |
What happened?
I'm trying to deploy a workspace resource from a module hosted on terraform cloud
How can we reproduce it?
Create terraform secret to be used by the ProviderConfig
Create ProviderConfig
Create the configmap that holds the values for the variables needed by the remote module
Create the workspace
What environment did it happen in?
Expected Behavior
Pull the module and deploy it as a workspace resource.
Current Behavior
getting errors like the below
Adding
https://
to the module URL returned the below errorThe text was updated successfully, but these errors were encountered: