Problem
When running Terraform code in HCP Terraform or Terraform Enterprise that manages resources using the tfe provider, a plan may unexpectedly show changes for resources that already exist. The plan output includes the following message:
Note: Objects have changed outside of Terraform
Terraform then proposes to create resources that are already present in the state file, leading to potential duplication or errors.
Prerequisites
- Using the
tfeprovider to manage resources within HCP Terraform or Terraform Enterprise. - Executing runs within HCP Terraform or Terraform Enterprise, including the CLI-driven run workflow.
Cause
This issue occurs because the tfe provider is not properly authenticated or lacks the necessary permissions to read the existing resources from the HCP Terraform or Terraform Enterprise API.
Common causes include:
- A missing or incorrect authentication token for the
tfeprovider. - The token configured for the workspace does not have sufficient permissions to manage the resources defined in the configuration.
When the provider cannot authenticate correctly, the API returns an HTTP 404 Not Found status. Terraform interprets this response as the resource having been deleted outside of its control and consequently plans to recreate it.
Solution
To resolve this issue, you must configure a valid API token for the tfe provider within the workspace's execution environment. This is required even when using a CLI-driven workflow where a token is already configured locally.
You can authenticate the provider using one of the following methods:
- Set the
tokenargument in the provider configuration block. - Set the
TFE_TOKENenvironment variable in the workspace settings.
Note: To manage the full selection of resources, it is recommended to provide a user token from an account with appropriate permissions. This user should belong to the
ownersteam of the organization you wish to manage.