Introduction
When running a Terraform code on Terraform Cloud/Enterprise that manages Terraform Cloud/Enterprise ("tfe") provider resource(s), you will need to authenticate the "tfe" provider against Terraform Cloud/Enterprise, even when using the "remote" backend with remote operations and the CLI-driven Run workflow, via one of the following two options:
- Set the token argument in the provider configuration.
- Set the TFE_TOKEN environment variable.
Problem
In some cases, users can observe that the resulting plan contains the following message,
"Note: Objects have changed outside of Terraform"
and Terraform wants to create resources that already exist (present in the most recent state file).
There are several reasons for such a behavior:
- missing/wrong authentication token for "tfe" provider
- token set on the workspace does not have enough permissions
This will lead the Terraform Cloud/Enterprise API to return HTTP status code "404 not found" which will result in Terraform to assume that the resource present in the state file (e.g. team X with id Y) has been deleted outside Terraform and so will plan to create a new resource (e.g. team) in order for the environment to match the resources defined within the Terraform configuration.
Solution
Make sure that the proper token is set on the workspace using one of the methods specified above.
Note: To manage the full selection of resources, it is recommended to provide a user token from an account with appropriate permissions. This user should belong to the "owners" team of the organization you wish to manage.