Error while configuring the VCS for Terraform Enterprise secondary hostname

Avatar
Patrick Munne
  • Updated

Problem

When you use the tfe provider with a GitHub App VCS connection in Terraform Enterprise, attempts to create a workspace using an organization or team API token fail.

The following example configuration demonstrates this scenario.

terraform {
  required_providers {
    tfe = {
      version = ">=0.65.2"
    }
  }
}

provider "tfe" {
  hostname = "<tfe_fqdn>"
  token    = "<organization_token>"
}

resource "tfe_workspace" "this" {
  name         = "<workspace_name>"
  organization = "<organization_name>"
  source_name  = "<repo_name>"
  source_url   = "https://<tfe_fqdn>/app/org/workspaces/<workspace_name>"
  vcs_repo {
    identifier                 = "<github_org>/<repo_name>"
    github_app_installation_id = "ghain-xxxx"
  }
}

Applying this configuration produces the following error.

Error: Error creating workspace <workspace_name> for organization <org_name>: invalid attribute

  Repository doesn't exist or isn't accessible

  with tfe_workspace.this,
  on workspaces.tf line 1, in resource "tfe_workspace" "this":
   1: resource "tfe_workspace" "this" {

Prerequisites

  • Terraform Enterprise is configured with a GitHub App for VCS integration.
  • You are using the tfe provider to create a workspace.
  • You are authenticating to the provider with an organization or team API token.

Cause

This behavior is expected due to how Terraform Enterprise interacts with the GitHub App. When Terraform Enterprise contacts GitHub, it passes through the permissions of an individual user. The API token used must be associated with a user account that has the necessary permissions to access the specified GitHub repository.

As noted in the HCP Terraform documentation, this requirement applies to both HCP Terraform and Terraform Enterprise.

Only an HCP Terraform user can own a GitHub App token. Team and Organization API tokens are not able to own a GitHub App token.

Solution

Solution 1: Use a User API Token

To resolve this issue, you must use a User API Token when authenticating the tfe provider. Organization and team tokens do not have the necessary user context to interact with the GitHub App and will not work for this operation.

Outcome

After you replace the organization or team token with a User API Token from an account with appropriate repository permissions, the tfe provider can successfully create the workspace.

Additional Information

Articles in this section

See more

Related articles