Importing existing Resource(s) into a Remote State Managed by Terraform Cloud/Enterprise may fail with error "Invalid provider configuration. The configuration for provider depends on values that cannot be determined until apply."

Avatar
Atanas Chuchulev
  • Updated

Problem

Terraform Cloud/Enterprise remote backend does not allow imports with sensitive remote variables and the command fails with the following error:

$ terraform import aws_vpc.net vpc-a01106c2

Warning: Value for var.access_key unavailable

The value of variable "access_key" is marked as sensitive in the remote workspace. 
This operation always runs locally, so the value for that variable is not available.

Error: Invalid provider configuration

 on /Users/petersouter/projects/terraform_tfvars_import/main.tf line 15:
 15: provider "aws" {

The configuration for provider["registry.terraform.io/hashicorp/aws"] depends on values
that cannot be determined until apply.

 

Cause

Variables marked as sensitive in Terraform Cloud/Enterprise cannot have their values retrieved via the API. So for a local operation such as import, the variables are set with empty or null placeholder values so that some kinds of local operations can succeed.

However, there is currently no way to overwrite these null/empty placeholder values with the standard Terraform CLI options (eg. -var, -var-file, TF_VAR_ env).


Solution

There are a few ways you can work around this situation. One way is to change the way the provider is defined locally to use local credentials, and another way is to make an override file.

For example, consider importing a VPC, where the credentials for the AWS provider are set using sensitive variables in TFC/TFE:

# main.tf
terraform {
  backend "remote" {
    organization = "your_organization"
    workspaces {
      name = "your_workspace"
    }
  }
}

variable "access_key" {}
variable "secret_key" {}
variable "region" {}
variable "token" {}

provider "aws" {
  access_key = var.access_key
  secret_key = var.secret_key
  token      = var.token
  region     = var.region
}

resource "aws_vpc" "net" {
  cidr_block = "10.0.0.0/16"
}

To unobtrusively rewrite the provider block, create an override file:

# main_override.tf
provider "aws" {
  access_key = null
  secret_key = null
  token      = null
}

Because configurations from overrides are merged, it's necessary to be explicit about unsetting the arguments by using null.

Then, to have the import succeed, you can set the AWS credentials via environment variables or a "~/.aws/credentials" file.

 

Note: The warning about the sensitive variables will still appear, but whilst those 
vars are no longer required for the "import" it will then succeed.

 

Additional Information

If you are unable to resolve the issue please contact support at tf-cloud@hashicorp.support or submit a ticket via our support portal.

Articles in this section

See more

Related articles