Introduction
When running Terraform code on HCP Terraform / Terraform Enterprise that manages HCP Terraform / Terraform Enterprise resources via the "tfe" provider, you will need to setup authentication for the "tfe" provider, even when using the CLI-driven Run workflow where an API token is set up for the local Terraform CLI. There are two options to do this:
- Set the token argument in the provider configuration.
- Set the TFE_TOKEN environment variable.
Problem
In some cases, users can observe that the resulting plan contains the following message,
"Note: Objects have changed outside of Terraform"
and Terraform will plan to create resources that already exist (present in the most recent state file).
There are several reasons for such a behavior:
- missing/wrong authentication token for "tfe" provider
- token set on the workspace does not have enough permissions
This will lead the Terraform Cloud/Enterprise API to return HTTP status code "404 not found" which will result in Terraform assuming that the resource present in the state file (e.g. team X with id Y) has been deleted outside Terraform and so will plan to create a new resource (e.g. team) in order for the environment to match the resources defined within the Terraform configuration.
Solution
Make sure that the proper token is set on the workspace using one of the methods specified above.
Note: To manage the full selection of resources, it is recommended to provide a user token from an account with appropriate permissions. This user should belong to the "owners" team of the organization you wish to manage.