Issues icon indicating copy to clipboard operation
Issues copied to clipboard
verified publisher icon OctopusDeploy

Using octostache variable references for accounts in some steps causes the account to not be found

Open patrick-smergut-octopus opened this issue 7 months ago • 0 comments

Severity

Confusing due to inconsistency, could impact many users. Workaround is straightforward.

Version

2025.3.61

Latest Version

None

What happened?

When referencing an account as an unbound variable in a deployment process step, some steps specifically need a variable name (e.g. My.Aws.Account) rather than the variable's value (e.g. using Octostache #{My.Aws.Account} or an Id Accounts-123), or account auth will fail.

To use a simple example, a Run a Script step will allow using an Octostache variable reference to the account (e.g. #{My.Aws.Account}) where the octostache resolves to the account Id (e.g. Accounts-123). However, the Plan to Apply a Terraform Template step will error if the account is set to the same octostache, indicating that the account can't be found.

Variable NAME works for steps with an account reference:

Image

Octostache doesn't work for all steps (e.g. Plan to Apply a Terrform Template will fail auth):

Image

The variable's NAME that holds the account as its value should be used in this field. So, either directly select the variable from the drop-down, or if you need to use an Octostache reference (e.g. with Tenant variables), it resolves to a single line text type variable with a value that is the NAME of an account variable (e.g. #{My.Aws.Account.Reference} would have the text string value My.Aws.Account, and the variable My.Aws.Account will be the account variable attached to the project that Octopus finds during deployment.

Expectation: We should be consistent with our steps - if one method works in one step, it should work in another.

Reproduction

Reproduction:

  1. Create a new project and add an account variable (e.g. an AWS Account)
  2. Add the associated script type step with aquick test to check auth (e.g. Run an AWS CLI Script with aws sts get-caller-identity), and set the step's account to the project variable
  3. Add a 'Plan to Apply a Terraform Template' step and set the step's account to the project variable
  4. Test that a deployment works properly
  5. Change the account in both steps to the octostache of the account variable (e.g. if your variable is My.Aws.Account change it to #{My.Aws.Account}
  6. Re-run the deployment and see that the Run a Script step auths

In the second case, the deployment will fail because the account.variable doesn't resolve to a variable name in the action.

Variable logging in the first (successful) attempt:

18:08:44   Verbose  |       [Octopus.Action[Run an AWS CLI Script].AwsAccount.Variable] = 'My.Aws.Account'
18:08:44   Verbose  |       [Octopus.Action[Plan to apply a Terraform template].AwsAccount.Variable] = 'My.Aws.Account'

Variable logging in the second (failed) attempt:

18:15:42   Verbose  |       [Octopus.Action[Run an AWS CLI Script].AwsAccount.Variable] = 'Accounts-786'
18:15:42   Verbose  |       [Octopus.Action[Plan to apply a Terraform template].AwsAccount.Variable] = 'Accounts-786'

Error and Stacktrace

18:15:42   Verbose  |       Performing variable substitution on '/home/Octopus/Work/2GleawQeB0KmmZWqFXY8Vg/template.tf'
18:15:42   Verbose  |       Performing variable substitution on '/home/Octopus/Work/2GleawQeB0KmmZWqFXY8Vg/terraform.tfvars'
18:15:42   Error    |       Running rollback behaviours...
18:15:42   Error    |       AWS-LOGIN-ERROR-0006: Failed to login via external credentials assigned to the worker. For more information visit [https://oc.to/t9nRNg](https://oc.to/t9nRNg)
18:15:42   Error    |       System.Exception
18:15:42   Error    |       at Calamari.CloudAccounts.AwsEnvironmentGeneration.Initialise() in C:\BuildAgent\work\e61a42f6adc5dcb6\source\Calamari.CloudAccounts\AwsEnvironmentGeneration.cs:line 59
18:15:42   Error    |       at Calamari.CloudAccounts.AwsEnvironmentGeneration.Create(ILog log, IVariables variables, Func`1 verifyLogin) in C:\BuildAgent\work\e61a42f6adc5dcb6\source\Calamari.CloudAccounts\AwsEnvironmentGeneration.cs:line 46
18:15:42   Error    |       at Calamari.Terraform.Behaviours.TerraformDeployBehaviour.Execute(RunningDeployment context) in C:\BuildAgent\work\e61a42f6adc5dcb6\source\Calamari.Terraform\Behaviours\TerraformDeployBehaviour.cs:line 42
18:15:42   Error    |       at Calamari.Common.Plumbing.Pipeline.PipelineCommand.ExecuteBehaviour(RunningDeployment context, IBehaviour behaviour) in C:\BuildAgent\work\e61a42f6adc5dcb6\source\Calamari.Common\Plumbing\Pipeline\PipelineCommand.cs:line 164
18:15:42   Error    |       at Calamari.Common.Plumbing.Pipeline.PipelineCommand.Execute(ILifetimeScope lifetimeScope, IVariables variables) in C:\BuildAgent\work\e61a42f6adc5dcb6\source\Calamari.Common\Plumbing\Pipeline\PipelineCommand.cs:line 60
18:15:42   Error    |       at Calamari.Common.Plumbing.Pipeline.PipelineCommand.Execute(ILifetimeScope lifetimeScope, IVariables variables) in C:\BuildAgent\work\e61a42f6adc5dcb6\source\Calamari.Common\Plumbing\Pipeline\PipelineCommand.cs:line 84
18:15:42   Error    |       at Calamari.Common.CalamariFlavourProgramAsync.Run(String[] args) in C:\BuildAgent\work\e61a42f6adc5dcb6\source\Calamari.Common\CalamariFlavourProgramAsync.cs:line 143
18:15:42   Verbose  |       Process /bin/bash in /home/Octopus/Work/2GleawQeB0KmmZWqFXY8Vg exited with code 100

More Information

No response

Workaround

Use a variable NAME in the step's account selection, or make sure Octostache resolves to a string that is a variable's name.

patrick-smergut-octopus avatar Jun 06 '25 23:06 patrick-smergut-octopus