BugZero | Terraform BugID 36243 - Incorrect plan on tfe_ resources when TFE

BugZero | Terraform BugID 36243 - Incorrect plan on tfe_ resources when TFE_TOKEN en...

Terraform - Defect ID: 36243

Incorrect plan on tfe_ resources when TFE_TOKEN env var is not set in TFE workspace

Terraform - Defect ID: 36243

Incorrect plan on tfe_ resources when TFE_TOKEN env var is not set in TFE workspace

Last updated on January 7th, 2025

BugZero Risk Score
8.5 High

Overall: 8.5

Status: 10.0

Community: 3.7

What is the BugZero Risk Score?

Terraform Integration

Learn more about where this data comes from

Terraform Integration

Learn more

Bug Scrub Advisor

Streamline upgrades with automated vendor bug scrubs

Bug Scrub Advisor

Learn more

BugZero Enterprise

Wish you caught this bug sooner? Get proactive today.

BugZero Enterprise

Learn more

Bug Details

Priority: Unspecified
Status: Open

Description

### Terraform Version ```shell Terraform v1.9.3 on darwin_arm64 + provider registry.terraform.io/hashicorp/aws v5.56.1 + provider registry.terraform.io/hashicorp/tfe v0.55.0 + provider registry.terraform.io/hashicorp/tls v4.0.6 Your version of Terraform is out of date! The latest version is 1.10.2. You can update by downloading from https://www.terraform.io/downloads.html ``` ### Terraform Configuration Files First I create tfe resources locally, then uncomment terraform cloud backend and run `terraform init`, answer "yes" to migrate state. ### Debug Output Running `apply` after the state had been migrated ``` terraform apply Running apply in HCP Terraform. Output will stream here. Pressing Ctrl-C will cancel the remote apply if it's still pending. If the apply started it will stop streaming the logs, but will not stop the apply running remotely. Preparing the remote apply... To view this run in a browser, visit: https://app.terraform.io/app/gigapenguins/org/runs/run-2Q41hQniDnma8qeo Waiting for the plan to start... Terraform v1.9.8 on linux_amd64 Initializing plugins and modules... data.tfe_organization.this: Refreshing... module.org_account.data.tls_certificate.terraform_cloud: Refreshing... tfe_workspace.this["apps-stg"]: Refreshing state... [id=ws-8QnkL9QyWRZsuVPL] tfe_workspace.this["infra-dev"]: Refreshing state... [id=ws-xRZuMgPctMHZWzTF] tfe_workspace.this["apps-tests"]: Refreshing state... [id=ws-A817FY22aRN8F2q3] tfe_workspace.this["apps-prod"]: Refreshing state... [id=ws-z2GDCfQ8KNth71f3] tfe_workspace.this["org"]: Refreshing state... [id=ws-ZUQRyQJbsni3vKja] tfe_workspace.this["apps-dev"]: Refreshing state... [id=ws-7DDHR2xaJudw8RM8] tfe_workspace.this["infra-prod"]: Refreshing state... [id=ws-HSBkfvVTf5e2vzPU] module.org_account.data.tls_certificate.terraform_cloud: Refresh complete after 0s [id=ebb6b5e1bae10fcd4125dc26813af52dcd4695a9] tfe_workspace.this["infra-tests"]: Refreshing state... [id=ws-gPXmGrk9qNnTucSd] data.tfe_organization.this: Refresh complete after 0s [id=org-VcTS3LLWgkbGbM5z] module.org_account.aws_s3_account_public_access_block.this: Refreshing state... [id=491085405411] module.org_account.data.aws_iam_policy.administrator_access: Refreshing... module.org_account.aws_iam_account_alias.alias: Refreshing state... [id=gigapenguins] module.org_account.aws_iam_openid_connect_provider.terraform_cloud: Refreshing state... [id=arn:aws:iam::491085405411:oidc-provider/app.terraform.io] module.org_account.data.aws_iam_policy.administrator_access: Refresh complete after 0s [id=arn:aws:iam::aws:policy/AdministratorAccess] module.org_account.aws_iam_role.terraform_cloud: Refreshing state... [id=terraform_cloud] tfe_workspace.this["org"]: Drift detected (update) ╷ │ Warning: Value for undeclared variable │ │ The root module does not declare a variable named "TFE_TOKEN" but a value │ was found in file │ "/home/tfc-agent/.tfc-agent/component/terraform/runs/run-2Q41hQniDnma8qeo/terraform.tfvars". │ If you meant to use this value, add a "variable" block to the │ configuration. │ │ To silence these warnings, use TF_VAR_... environment variables to provide │ certain "global" settings to all configurations in your organization. To │ reduce the verbosity of these warnings, use the -compact-warnings option. ╵ Note: Objects have changed outside of Terraform Terraform detected the following changes made outside of Terraform since the last "terraform apply" which may have affected this plan: # tfe_workspace.this["org"] has changed ~ resource "tfe_workspace" "this" { id = "ws-ZUQRyQJbsni3vKja" name = "org" ~ resource_count = 77 -> 15 # (26 unchanged attributes hidden) } Unless you have made equivalent changes to your configuration, or ignored the relevant attributes using ignore_changes, the following plan may include actions to undo or respond to these changes. ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: + create ~ update in-place Terraform will perform the following actions: # tfe_organization_membership.this["devops@maxim.run"] will be created + resource "tfe_organization_membership" "this" { + email = "devops@maxim.run" + id = (known after apply) + organization = "gigapenguins" + user_id = (known after apply) + username = (known after apply) } # tfe_project.this["apps"] will be created + resource "tfe_project" "this" { + id = (known after apply) + name = "apps" + organization = "gigapenguins" # (1 unchanged attribute hidden) } # tfe_project.this["infra"] will be created + resource "tfe_project" "this" { + id = (known after apply) + name = "infra" + organization = "gigapenguins" # (1 unchanged attribute hidden) } # tfe_project.this["org"] will be created + resource "tfe_project" "this" { + id = (known after apply) + name = "org" + organization = "gigapenguins" # (1 unchanged attribute hidden) } # tfe_project_variable_set.project["apps"] will be created + resource "tfe_project_variable_set" "project" { + id = (known after apply) + project_id = (known after apply) + variable_set_id = (known after apply) } # tfe_project_variable_set.project["infra"] will be created + resource "tfe_project_variable_set" "project" { + id = (known after apply) + project_id = (known after apply) + variable_set_id = (known after apply) } # tfe_project_variable_set.project["org"] will be created + resource "tfe_project_variable_set" "project" { + id = (known after apply) + project_id = (known after apply) + variable_set_id = (known after apply) } # tfe_team.owners will be created + resource "tfe_team" "owners" { + id = (known after apply) + name = "owners" + organization = (known after apply) + visibility = "secret" + organization_access (known after apply) } # tfe_team_organization_member.owners["devops@maxim.run"] will be created + resource "tfe_team_organization_member" "owners" { + id = (known after apply) + organization_membership_id = (known after apply) + team_id = (known after apply) } # tfe_variable.argocd_admin_password["infra-dev"] will be created + resource "tfe_variable" "argocd_admin_password" { + category = "terraform" + description = "Sets the initial admin password for ArgoCD" + hcl = false + id = (known after apply) + key = "argocd_admin_password" + sensitive = true + value = (sensitive value) + workspace_id = "ws-xRZuMgPctMHZWzTF" } # tfe_variable.argocd_admin_password["infra-prod"] will be created + resource "tfe_variable" "argocd_admin_password" { + category = "terraform" + description = "Sets the initial admin password for ArgoCD" + hcl = false + id = (known after apply) + key = "argocd_admin_password" + sensitive = true + value = (sensitive value) + workspace_id = "ws-HSBkfvVTf5e2vzPU" } # tfe_variable.argocd_admin_password["infra-tests"] will be created + resource "tfe_variable" "argocd_admin_password" { + category = "terraform" + description = "Sets the initial admin password for ArgoCD" + hcl = false + id = (known after apply) + key = "argocd_admin_password" + sensitive = true + value = (sensitive value) + workspace_id = "ws-gPXmGrk9qNnTucSd" } # tfe_variable.datadog_api_key["apps-dev"] will be created + resource "tfe_variable" "datadog_api_key" { + category = "terraform" + description = "Datadog API key." + hcl = false + id = (known after apply) + key = "datadog_api_key" + sensitive = true + value = (sensitive value) + workspace_id = "ws-7DDHR2xaJudw8RM8" } # tfe_variable.datadog_api_key["apps-prod"] will be created + resource "tfe_variable" "datadog_api_key" { + category = "terraform" + description = "Datadog API key." + hcl = false + id = (known after apply) + key = "datadog_api_key" + sensitive = true + value = (sensitive value) + workspace_id = "ws-z2GDCfQ8KNth71f3" } # tfe_variable.datadog_api_key["apps-stg"] will be created + resource "tfe_variable" "datadog_api_key" { + category = "terraform" + description = "Datadog API key." + hcl = false + id = (known after apply) + key = "datadog_api_key" + sensitive = true + value = (sensitive value) + workspace_id = "ws-8QnkL9QyWRZsuVPL" } # tfe_variable.datadog_api_key["apps-tests"] will be created + resource "tfe_variable" "datadog_api_key" { + category = "terraform" + description = "Datadog API key." + hcl = false + id = (known after apply) + key = "datadog_api_key" + sensitive = true + value = (sensitive value) + workspace_id = "ws-A817FY22aRN8F2q3" } # tfe_variable.datadog_api_key["infra-dev"] will be created + resource "tfe_variable" "datadog_api_key" { + category = "terraform" + description = "Datadog API key." + hcl = false + id = (known after apply) + key = "datadog_api_key" + sensitive = true + value = (sensitive value) + workspace_id = "ws-xRZuMgPctMHZWzTF" } # tfe_variable.datadog_api_key["infra-prod"] will be created + resource "tfe_variable" "datadog_api_key" { + category = "terraform" + description = "Datadog API key." + hcl = false + id = (known after apply) + key = "datadog_api_key" + sensitive = true + value = (sensitive value) + workspace_id = "ws-HSBkfvVTf5e2vzPU" } # tfe_variable.datadog_api_key["infra-tests"] will be created + resource "tfe_variable" "datadog_api_key" { + category = "terraform" + description = "Datadog API key." + hcl = false + id = (known after apply) + key = "datadog_api_key" + sensitive = true + value = (sensitive value) + workspace_id = "ws-gPXmGrk9qNnTucSd" } # tfe_variable.datadog_api_key["org"] will be created + resource "tfe_variable" "datadog_api_key" { + category = "terraform" + description = "Datadog API key." + hcl = false + id = (known after apply) + key = "datadog_api_key" + sensitive = true + value = (sensitive value) + workspace_id = "ws-ZUQRyQJbsni3vKja" } # tfe_variable.datadog_app_key["apps-dev"] will be created + resource "tfe_variable" "datadog_app_key" { + category = "terraform" + description = "Datadog App key." + hcl = false + id = (known after apply) + key = "datadog_app_key" + sensitive = true + value = (sensitive value) + workspace_id = "ws-7DDHR2xaJudw8RM8" } # tfe_variable.datadog_app_key["apps-prod"] will be created + resource "tfe_variable" "datadog_app_key" { + category = "terraform" + description = "Datadog App key." + hcl = false + id = (known after apply) + key = "datadog_app_key" + sensitive = true + value = (sensitive value) + workspace_id = "ws-z2GDCfQ8KNth71f3" } # tfe_variable.datadog_app_key["apps-stg"] will be created + resource "tfe_variable" "datadog_app_key" { + category = "terraform" + description = "Datadog App key." + hcl = false + id = (known after apply) + key = "datadog_app_key" + sensitive = true + value = (sensitive value) + workspace_id = "ws-8QnkL9QyWRZsuVPL" } # tfe_variable.datadog_app_key["apps-tests"] will be created + resource "tfe_variable" "datadog_app_key" { + category = "terraform" + description = "Datadog App key." + hcl = false + id = (known after apply) + key = "datadog_app_key" + sensitive = true + value = (sensitive value) + workspace_id = "ws-A817FY22aRN8F2q3" } # tfe_variable.datadog_app_key["infra-dev"] will be created + resource "tfe_variable" "datadog_app_key" { + category = "terraform" + description = "Datadog App key." + hcl = false + id = (known after apply) + key = "datadog_app_key" + sensitive = true + value = (sensitive value) + workspace_id = "ws-xRZuMgPctMHZWzTF" } # tfe_variable.datadog_app_key["infra-prod"] will be created + resource "tfe_variable" "datadog_app_key" { + category = "terraform" + description = "Datadog App key." + hcl = false + id = (known after apply) + key = "datadog_app_key" + sensitive = true + value = (sensitive value) + workspace_id = "ws-HSBkfvVTf5e2vzPU" } # tfe_variable.datadog_app_key["infra-tests"] will be created + resource "tfe_variable" "datadog_app_key" { + category = "terraform" + description = "Datadog App key." + hcl = false + id = (known after apply) + key = "datadog_app_key" + sensitive = true + value = (sensitive value) + workspace_id = "ws-gPXmGrk9qNnTucSd" } # tfe_variable.datadog_app_key["org"] will be created + resource "tfe_variable" "datadog_app_key" { + category = "terraform" + description = "Datadog App key." + hcl = false + id = (known after apply) + key = "datadog_app_key" + sensitive = true + value = (sensitive value) + workspace_id = "ws-ZUQRyQJbsni3vKja" } # tfe_variable.environment["dev"] will be created + resource "tfe_variable" "environment" { + category = "terraform" + description = "Environment name" + hcl = false + id = (known after apply) + key = "environment" + readable_value = "dev" + sensitive = false + value = (sensitive value) + variable_set_id = (known after apply) } # tfe_variable.environment["prod"] will be created + resource "tfe_variable" "environment" { + category = "terraform" + description = "Environment name" + hcl = false + id = (known after apply) + key = "environment" + readable_value = "prod" + sensitive = false + value = (sensitive value) + variable_set_id = (known after apply) } # tfe_variable.environment["stg"] will be created + resource "tfe_variable" "environment" { + category = "terraform" + description = "Environment name" + hcl = false + id = (known after apply) + key = "environment" + readable_value = "stg" + sensitive = false + value = (sensitive value) + variable_set_id = (known after apply) } # tfe_variable.environment["tests"] will be created + resource "tfe_variable" "environment" { + category = "terraform" + description = "Environment name" + hcl = false + id = (known after apply) + key = "environment" + readable_value = "tests" + sensitive = false + value = (sensitive value) + variable_set_id = (known after apply) } # tfe_variable.github_argocd_token["infra-dev"] will be created + resource "tfe_variable" "github_argocd_token" { + category = "terraform" + description = "Fine Grained token for ArgoCD to access the GitHub repositories" + hcl = false + id = (known after apply) + key = "github_argocd_token" + sensitive = true + value = (sensitive value) + workspace_id = "ws-xRZuMgPctMHZWzTF" } # tfe_variable.github_argocd_token["infra-prod"] will be created + resource "tfe_variable" "github_argocd_token" { + category = "terraform" + description = "Fine Grained token for ArgoCD to access the GitHub repositories" + hcl = false + id = (known after apply) + key = "github_argocd_token" + sensitive = true + value = (sensitive value) + workspace_id = "ws-HSBkfvVTf5e2vzPU" } # tfe_variable.github_argocd_token["infra-tests"] will be created + resource "tfe_variable" "github_argocd_token" { + category = "terraform" + description = "Fine Grained token for ArgoCD to access the GitHub repositories" + hcl = false + id = (known after apply) + key = "github_argocd_token" + sensitive = true + value = (sensitive value) + workspace_id = "ws-gPXmGrk9qNnTucSd" } # tfe_variable.github_oauth_app_client_id["infra-dev"] will be created + resource "tfe_variable" "github_oauth_app_client_id" { + category = "terraform" + description = "For ArgoCD users to authenticate with GitHub" + hcl = false + id = (known after apply) + key = "github_oauth_app_client_id" + sensitive = true + value = (sensitive value) + workspace_id = "ws-xRZuMgPctMHZWzTF" } # tfe_variable.github_oauth_app_client_id["infra-prod"] will be created + resource "tfe_variable" "github_oauth_app_client_id" { + category = "terraform" + description = "For ArgoCD users to authenticate with GitHub" + hcl = false + id = (known after apply) + key = "github_oauth_app_client_id" + sensitive = true + value = (sensitive value) + workspace_id = "ws-HSBkfvVTf5e2vzPU" } # tfe_variable.github_oauth_app_client_id["infra-tests"] will be created + resource "tfe_variable" "github_oauth_app_client_id" { + category = "terraform" + description = "For ArgoCD users to authenticate with GitHub" + hcl = false + id = (known after apply) + key = "github_oauth_app_client_id" + sensitive = true + value = (sensitive value) + workspace_id = "ws-gPXmGrk9qNnTucSd" } # tfe_variable.github_oauth_app_client_secret["infra-dev"] will be created + resource "tfe_variable" "github_oauth_app_client_secret" { + category = "terraform" + description = "For ArgoCD users to authenticate with GitHub" + hcl = false + id = (known after apply) + key = "github_oauth_app_client_secret" + sensitive = true + value = (sensitive value) + workspace_id = "ws-xRZuMgPctMHZWzTF" } # tfe_variable.github_oauth_app_client_secret["infra-prod"] will be created + resource "tfe_variable" "github_oauth_app_client_secret" { + category = "terraform" + description = "For ArgoCD users to authenticate with GitHub" + hcl = false + id = (known after apply) + key = "github_oauth_app_client_secret" + sensitive = true + value = (sensitive value) + workspace_id = "ws-HSBkfvVTf5e2vzPU" } # tfe_variable.github_oauth_app_client_secret["infra-tests"] will be created + resource "tfe_variable" "github_oauth_app_client_secret" { + category = "terraform" + description = "For ArgoCD users to authenticate with GitHub" + hcl = false + id = (known after apply) + key = "github_oauth_app_client_secret" + sensitive = true + value = (sensitive value) + workspace_id = "ws-gPXmGrk9qNnTucSd" } # tfe_variable.github_token will be created + resource "tfe_variable" "github_token" { + category = "terraform" + description = "Fine-grained access token with full permissions for GitHub Terraform provider." + hcl = false + id = (known after apply) + key = "github_token" + sensitive = true + value = (sensitive value) + workspace_id = "ws-ZUQRyQJbsni3vKja" } # tfe_variable.organization_name will be created + resource "tfe_variable" "organization_name" { + category = "terraform" + description = "The organization name" + hcl = false + id = (known after apply) + key = "organization_name" + readable_value = "gigapenguins" + sensitive = false + value = (sensitive value) + variable_set_id = (known after apply) } # tfe_variable.tfc_aws_provider_auth will be created + resource "tfe_variable" "tfc_aws_provider_auth" { + category = "env" + description = "Enables authentication to AWS with TFE's OIDC token" + hcl = false + id = (known after apply) + key = "TFC_AWS_PROVIDER_AUTH" + readable_value = "true" + sensitive = false + value = (sensitive value) + variable_set_id = (known after apply) } # tfe_variable.tfe_token will be created + resource "tfe_variable" "tfe_token" { + category = "terraform" + description = "This token is to being passed to GHA env secret variable to authenticate GH runner to TFE Cloud. " + hcl = false + id = (known after apply) + key = "tfe_token" + sensitive = true + value = (sensitive value) + workspace_id = "ws-ZUQRyQJbsni3vKja" } # tfe_variable_set.environment["dev"] will be created + resource "tfe_variable_set" "environment" { + description = "Variables for dev environment." + global = false + id = (known after apply) + name = "Environment dev" + organization = "gigapenguins" + priority = false + workspace_ids = (known after apply) } # tfe_variable_set.environment["prod"] will be created + resource "tfe_variable_set" "environment" { + description = "Variables for prod environment." + global = false + id = (known after apply) + name = "Environment prod" + organization = "gigapenguins" + priority = false + workspace_ids = (known after apply) } # tfe_variable_set.environment["stg"] will be created + resource "tfe_variable_set" "environment" { + description = "Variables for stg environment." + global = false + id = (known after apply) + name = "Environment stg" + organization = "gigapenguins" + priority = false + workspace_ids = (known after apply) } # tfe_variable_set.environment["tests"] will be created + resource "tfe_variable_set" "environment" { + description = "Variables for tests environment." + global = false + id = (known after apply) + name = "Environment tests" + organization = "gigapenguins" + priority = false + workspace_ids = (known after apply) } # tfe_variable_set.global will be created + resource "tfe_variable_set" "global" { + description = "Global env vars" + global = true + id = (known after apply) + name = "global" + organization = "gigapenguins" + priority = false + workspace_ids = (known after apply) } # tfe_variable_set.project["apps"] will be created + resource "tfe_variable_set" "project" { + description = "Variables for apps project." + global = false + id = (known after apply) + name = "Project apps" + organization = "gigapenguins" + priority = false + workspace_ids = (known after apply) } # tfe_variable_set.project["infra"] will be created + resource "tfe_variable_set" "project" { + description = "Variables for infra project." + global = false + id = (known after apply) + name = "Project infra" + organization = "gigapenguins" + priority = false + workspace_ids = (known after apply) } # tfe_variable_set.project["org"] will be created + resource "tfe_variable_set" "project" { + description = "Variables for org project." + global = false + id = (known after apply) + name = "Project org" + organization = "gigapenguins" + priority = false + workspace_ids = (known after apply) } # tfe_workspace.this["apps-dev"] will be updated in-place ~ resource "tfe_workspace" "this" { id = "ws-7DDHR2xaJudw8RM8" name = "apps-dev" ~ project_id = "prj-vbQToTYnRJJqq8sz" -> (known after apply) # (26 unchanged attributes hidden) } # tfe_workspace.this["apps-prod"] will be updated in-place ~ resource "tfe_workspace" "this" { id = "ws-z2GDCfQ8KNth71f3" name = "apps-prod" ~ project_id = "prj-vbQToTYnRJJqq8sz" -> (known after apply) # (26 unchanged attributes hidden) } # tfe_workspace.this["apps-stg"] will be updated in-place ~ resource "tfe_workspace" "this" { id = "ws-8QnkL9QyWRZsuVPL" name = "apps-stg" ~ project_id = "prj-vbQToTYnRJJqq8sz" -> (known after apply) # (26 unchanged attributes hidden) } # tfe_workspace.this["apps-tests"] will be updated in-place ~ resource "tfe_workspace" "this" { id = "ws-A817FY22aRN8F2q3" name = "apps-tests" ~ project_id = "prj-vbQToTYnRJJqq8sz" -> (known after apply) # (26 unchanged attributes hidden) } # tfe_workspace.this["infra-dev"] will be updated in-place ~ resource "tfe_workspace" "this" { id = "ws-xRZuMgPctMHZWzTF" name = "infra-dev" ~ project_id = "prj-V4HqcR4efFuk7UVK" -> (known after apply) # (26 unchanged attributes hidden) } # tfe_workspace.this["infra-prod"] will be updated in-place ~ resource "tfe_workspace" "this" { id = "ws-HSBkfvVTf5e2vzPU" name = "infra-prod" ~ project_id = "prj-V4HqcR4efFuk7UVK" -> (known after apply) # (26 unchanged attributes hidden) } # tfe_workspace.this["infra-tests"] will be updated in-place ~ resource "tfe_workspace" "this" { id = "ws-gPXmGrk9qNnTucSd" name = "infra-tests" ~ project_id = "prj-V4HqcR4efFuk7UVK" -> (known after apply) # (26 unchanged attributes hidden) } # tfe_workspace.this["org"] will be updated in-place ~ resource "tfe_workspace" "this" { id = "ws-ZUQRyQJbsni3vKja" name = "org" ~ project_id = "prj-hDV8qzbnNLHYTxYW" -> (known after apply) # (26 unchanged attributes hidden) } # tfe_workspace_variable_set.environment["apps-dev"] will be created + resource "tfe_workspace_variable_set" "environment" { + id = (known after apply) + variable_set_id = (known after apply) + workspace_id = "ws-7DDHR2xaJudw8RM8" } # tfe_workspace_variable_set.environment["apps-prod"] will be created + resource "tfe_workspace_variable_set" "environment" { + id = (known after apply) + variable_set_id = (known after apply) + workspace_id = "ws-z2GDCfQ8KNth71f3" } # tfe_workspace_variable_set.environment["apps-stg"] will be created + resource "tfe_workspace_variable_set" "environment" { + id = (known after apply) + variable_set_id = (known after apply) + workspace_id = "ws-8QnkL9QyWRZsuVPL" } # tfe_workspace_variable_set.environment["apps-tests"] will be created + resource "tfe_workspace_variable_set" "environment" { + id = (known after apply) + variable_set_id = (known after apply) + workspace_id = "ws-A817FY22aRN8F2q3" } # tfe_workspace_variable_set.environment["infra-dev"] will be created + resource "tfe_workspace_variable_set" "environment" { + id = (known after apply) + variable_set_id = (known after apply) + workspace_id = "ws-xRZuMgPctMHZWzTF" } # tfe_workspace_variable_set.environment["infra-prod"] will be created + resource "tfe_workspace_variable_set" "environment" { + id = (known after apply) + variable_set_id = (known after apply) + workspace_id = "ws-HSBkfvVTf5e2vzPU" } # tfe_workspace_variable_set.environment["infra-tests"] will be created + resource "tfe_workspace_variable_set" "environment" { + id = (known after apply) + variable_set_id = (known after apply) + workspace_id = "ws-gPXmGrk9qNnTucSd" } # tfe_workspace_variable_set.environment["org"] will be created + resource "tfe_workspace_variable_set" "environment" { + id = (known after apply) + variable_set_id = (known after apply) + workspace_id = "ws-ZUQRyQJbsni3vKja" } # module.org_account.aws_iam_role.terraform_cloud will be updated in-place ~ resource "aws_iam_role" "terraform_cloud" { id = "terraform_cloud" name = "terraform_cloud" ~ tags = { - "TF-workspace" = "default" -> null } ~ tags_all = { ~ "TF-workspace" = "default" -> "org" # (2 unchanged elements hidden) } # (11 unchanged attributes hidden) } # module.org_account.tfe_variable.tfc_aws_run_role_arn will be created + resource "tfe_variable" "tfc_aws_run_role_arn" { + category = "env" + description = "AWS account to authenticate to" + hcl = false + id = (known after apply) + key = "TFC_AWS_RUN_ROLE_ARN" + readable_value = "arn:aws:iam::491085405411:role/terraform_cloud" + sensitive = false + value = (sensitive value) + workspace_id = "ws-ZUQRyQJbsni3vKja" } Plan: 62 to add, 9 to change, 0 to destroy. Do you want to perform these actions in workspace "org"? Terraform will perform the actions described above. Only 'yes' will be accepted to approve. Enter a value: yes tfe_variable_set.environment["dev"]: Creating... tfe_team.owners: Creating... tfe_variable_set.environment["prod"]: Creating... tfe_project.this["infra"]: Creating... tfe_organization_membership.this["devops@maxim.run"]: Creating... tfe_variable_set.global: Creating... tfe_variable_set.project["infra"]: Creating... tfe_project.this["apps"]: Creating... tfe_variable_set.environment["tests"]: Creating... tfe_variable_set.project["apps"]: Creating... tfe_variable_set.environment["stg"]: Creating... tfe_project.this["org"]: Creating... tfe_variable_set.project["org"]: Creating... ╷ │ Error: Error creating the new project org: invalid attribute │ │ Name has already been taken │ │ with tfe_project.this["org"], │ on tfe.tf line 7, in resource "tfe_project" "this": │ 7: resource "tfe_project" "this" { │ ╵ ╷ │ Error: Error creating variable set global, for organization: gigapenguins: invalid attribute │ │ Name has already been taken │ │ with tfe_variable_set.global, │ on tfe.tf line 24, in resource "tfe_variable_set" "global": │ 24: resource "tfe_variable_set" "global" { │ ╵ ╷ │ Error: Error creating the new project apps: invalid attribute │ │ Name has already been taken │ │ with tfe_project.this["apps"], │ on tfe.tf line 7, in resource "tfe_project" "this": │ 7: resource "tfe_project" "this" { │ ╵ ╷ │ Error: Error creating variable set Environment prod, for organization: gigapenguins: invalid attribute │ │ Name has already been taken │ │ with tfe_variable_set.environment["prod"], │ on tfe.tf line 85, in resource "tfe_variable_set" "environment": │ 85: resource "tfe_variable_set" "environment" { │ ╵ ╷ │ Error: Error creating variable set Environment dev, for organization: gigapenguins: invalid attribute │ │ Name has already been taken │ │ with tfe_variable_set.environment["dev"], │ on tfe.tf line 85, in resource "tfe_variable_set" "environment": │ 85: resource "tfe_variable_set" "environment" { │ ╵ ╷ │ Error: Error creating variable set Project infra, for organization: gigapenguins: invalid attribute │ │ Name has already been taken │ │ with tfe_variable_set.project["infra"], │ on tfe.tf line 73, in resource "tfe_variable_set" "project": │ 73: resource "tfe_variable_set" "project" { │ ╵ ╷ │ Error: Error creating variable set Environment tests, for organization: gigapenguins: invalid attribute │ │ Name has already been taken │ │ with tfe_variable_set.environment["tests"], │ on tfe.tf line 85, in resource "tfe_variable_set" "environment": │ 85: resource "tfe_variable_set" "environment" { │ ╵ ╷ │ Error: Error creating team owners for organization gigapenguins: invalid attribute │ │ Name has already been taken │ │ with tfe_team.owners, │ on tfe-access.tf line 12, in resource "tfe_team" "owners": │ 12: resource "tfe_team" "owners" { # todo / try data instaed of resource becase this team is default │ ╵ ╷ │ Error: Error creating variable set Project org, for organization: gigapenguins: invalid attribute │ │ Name has already been taken │ │ with tfe_variable_set.project["org"], │ on tfe.tf line 73, in resource "tfe_variable_set" "project": │ 73: resource "tfe_variable_set" "project" { │ ╵ ╷ │ Error: Error creating variable set Environment stg, for organization: gigapenguins: invalid attribute │ │ Name has already been taken │ │ with tfe_variable_set.environment["stg"], │ on tfe.tf line 85, in resource "tfe_variable_set" "environment": │ 85: resource "tfe_variable_set" "environment" { │ ╵ ╷ │ Error: Error creating the new project infra: invalid attribute │ │ Name has already been taken │ │ with tfe_project.this["infra"], │ on tfe.tf line 7, in resource "tfe_project" "this": │ 7: resource "tfe_project" "this" { │ ╵ ╷ │ Error: Error creating membership devops@maxim.run for organization gigapenguins: invalid attribute │ │ User is already an organization member │ │ with tfe_organization_membership.this["devops@maxim.run"], │ on tfe-access.tf line 16, in resource "tfe_organization_membership" "this": │ 16: resource "tfe_organization_membership" "this" { │ ╵ ╷ │ Error: Error creating variable set Project apps, for organization: gigapenguins: invalid attribute │ │ Name has already been taken │ │ with tfe_variable_set.project["apps"], │ on tfe.tf line 73, in resource "tfe_variable_set" "project": │ 73: resource "tfe_variable_set" "project" { │ Operation failed: failed running terraform apply (exit 1) Desktop/gigapenguins/terraform-org/terraform % ⭐️ terraform state list data.tfe_organization.this tfe_workspace.this["apps-dev"] tfe_workspace.this["apps-prod"] tfe_workspace.this["apps-stg"] tfe_workspace.this["apps-tests"] tfe_workspace.this["infra-dev"] tfe_workspace.this["infra-prod"] tfe_workspace.this["infra-tests"] tfe_workspace.this["org"] module.org_account.data.aws_iam_policy.administrator_access module.org_account.data.tls_certificate.terraform_cloud module.org_account.aws_iam_account_alias.alias module.org_account.aws_iam_openid_connect_provider.terraform_cloud module.org_account.aws_iam_role.terraform_cloud module.org_account.aws_s3_account_public_access_block.this ``` ### Expected Behavior Empty plan or Error ### Actual Behavior Terraform tries to create resources which already exist and are already in state then fails. ### Steps to Reproduce 1. `terraform init` with no remote backend. 2. Create tfe resources. **And forget to create `tfe_variable` TFE_TOKEN env var for the workspace.** 3. Uncomment tfe backend. 4. Run init, "yes" to migrate local backend. 5. Run `terraform plan` and see an inconsistent plan - tries to create resources which already exist. 6. Try `terraform state list` all resources are in place 7. Get errors "resource with this name already exist", 8. Try `terraform state list` and see that only workspaces left in state, other resources disappeared ### Additional Context I was happy to find out that migration process leaves a local `terraform.tfstate.backup`. ### References _No response_ ### Generative AI / LLM assisted development? _No response_

Relevant Products

Click on a version to see all relevant bugs

Affected versions:1.9.3

Fixed versions: No known fixed versions

Relevant Products

Click on a version to see all relevant bugs

Affected versions:1.9.3

Fixed versions: No known fixed versions

Top Terraform Defects

8.5Defect ID: 37130
Regression for certain third-party S3 backends over S3 v2 API as of 1.11.2 (ceph, hetzner)
8.5Defect ID: 36306
Configuration for X still contains unknown values during apply
8.5Defect ID: 38396
undefined module output in depends_on silently references the whole module
8.5Defect ID: 32901
1.4.0+ breaks shared provider cache
8.5Defect ID: 38517
S3 Backend does not work with `aws login` when using `source_profile` in the AWS CLI config

Ready to prevent the next vendor outage?

Get a demo

Terraform - Defect ID: 36243

Incorrect plan on tfe_ resources when TFE_TOKEN env var is not set in TFE workspace

Terraform - Defect ID: 36243

Incorrect plan on tfe_ resources when TFE_TOKEN env var is not set in TFE workspace

Last updated on January 7th, 2025

BugZero Risk Score8.5 High

Bug Details

Top Terraform Defects

Ready to prevent the next vendor outage?

Links

BugZero Risk Score
8.5 High