Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

tfe_outputs data call success and returns empty output when workspace doesn't share outputs #1124

Open
stfoxdeloitte opened this issue Oct 31, 2023 · 2 comments
Open

tfe_outputs data call success and returns empty output when workspace doesn't share outputs #1124

stfoxdeloitte opened this issue Oct 31, 2023 · 2 comments
Labels
bug

Comments

@stfoxdeloitte
Copy link

Terraform Cloud/Enterprise version

Terraform Cloud

tfe provider: 0.49.2

Terraform version

Encountered the issue when the workspace was using 1.5.2, 1.5.6, and 1.6.2

...

Terraform Configuration Files

data "tfe_outputs" "upstream" {
  organization = "MyOrg"
  workspace = "my-upstream-workspace"
}

locals {
   my_var = data.tfe_outputs.upstream.nonsensitive_values.my_output
}

Debug Output

...

Expected Behavior

The data call to the workspace outputs should fail if the workspace outputs are not shared with the calling workspace (presumably, it should have encountered a 401, 403, or possibly, 404, and returned an error).

Actual Behavior

The data tfe_outputs call succeeds, but later fails with a misleading error message that the workspace/state output attributes do not exist.

data.tfe_outputs.upstream.nonsensitive_values is object with no attributes
This object does not have an attribute named "my_output".

Additional Context

After configuring the upstream workspace to share workspace outputs with the downstream workspace, the data call obviously resolves and succeeds.
@SanderBlom SanderBlom mentioned this issue Nov 17, 2023
Closed
2 tasks
@nfagerlund
Copy link
Contributor

Hello!

So, tfe_outputs was designed to work properly without needing to share outputs between workspaces.

However, in order to do that, it expects that you are configuring the tfe provider with an appropriate user or team token that has permission to view state outputs in the affected workspaces. That design allows the user to set everything up using the normal team permissions interface.

From the text of this report, it sounds like you're maybe trying to use the tfe provider in a Terraform Cloud or Enterprise workspace WITHOUT explicitly providing it an access token in the TFE_TOKEN environment variable. Is that correct? If so, then I believe the provider will still fall back to using the ephemeral run token associated with the host workspace, which indeed can't access other workspaces' outputs without those sharing settings.

Assuming I'm right about the above, I suggest creating a dedicated "provider access" team with read access to any workspace outputs you need, and then providing that team's token as an environment variable to the workspaces that need those outputs.

@nfagerlund
Copy link
Contributor

That said, I'm curious about the "success, but empty" behavior — that doesn't seem right at all, and it might turn out to be a genuine bug. Worth investigating!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@nfagerlund @stfoxdeloitte