terragrunt
terragrunt copied to clipboard
gruntwork-io
Some Terraform errors are not displayed when running `terragrunt plan`
Describe the bug
When running terragrunt plan and having authentication errors, the errors returned by Terraform are not displayed in Terragrunt output.
Steps To Reproduce
I used the following piece of code to compare Terragrunt and Terraform errors with my code:
terragrunt plan --terragrunt-log-level debug --terragrunt-debug || true
cd ${TERRAGRUNT_WORKING_DIR}/.terragrunt-cache
cd $(ls -d ./* | head -n 1)
cd $(ls -d ./* | head -n 1)
terraform plan
Terragrunt output:
11:06:25.132 STDOUT terraform: Planning failed. Terraform encountered an error while generating this plan.
11:06:25.132 STDOUT terraform:
11:06:25.249 ERROR terraform invocation failed in {REDACTED}/.terragrunt-cache/{REDACTED} error=[/builds/{REDACTED}/.terragrunt-cache/{REDACTED}] exit status 1
11:06:25.250 ERROR 1 error occurred:
* [{REDACTED}/.terragrunt-cache/{REDACTED}] exit status 1
Terraform output:
Planning failed. Terraform encountered an error while generating this plan.
╷
│ Error: building client: unable to obtain access token: clientCredentialsToken: received HTTP status 401 with response: {"error":"invalid_client","error_description":"AADSTS700213: No matching federated identity record found for presented assertion subject 'project_path:{REDACTED}'. Please note that the matching is done using a case-sensitive comparison. Check your federated identity credential Subject, Audience and Issuer against the presented assertion. https://learn.microsoft.com/entra/workload-id/workload-identity-federation {REDACTED}}
│
│ with provider["registry.terraform.io/hashicorp/azuread"],
│ on providers.tf line 1, in provider "azuread":
│ 1: provider "azuread" {
│
╵
╷
│ Error: building account: could not acquire access token to parse claims: clientCredentialsToken: received HTTP status 401 with response: {"error":"invalid_client","error_description":"AADSTS700213: No matching federated identity record found for presented assertion subject 'project_path:{REDACTED}'. Please note that the matching is done using a case-sensitive comparison. Check your federated identity credential Subject, Audience and Issuer against the presented assertion. https://learn.microsoft.com/entra/workload-id/workload-identity-federation {REDACTED}"}
│
│ with provider["registry.terraform.io/hashicorp/azurerm"],
│ on providers.tf line 5, in provider "azurerm":
│ 5: provider "azurerm" {
│
╵
Expected behavior
The full Terraform output must be present in Terragrunt output
Nice to haves
- [ ] Terminal output
- [ ] Screenshots
Versions
- Terragrunt version: 0.67.1
- OpenTofu/Terraform version: Terraform 1.9.5
- Environment details (Ubuntu 20.04, Windows 10, etc.): Docker image alpine/terragrunt:1.9.5, see: https://hub.docker.com/layers/alpine/terragrunt/1.9.5/images/sha256-41a36dac2c44083a6c594caad48834e44880c4c11c2f5e5a9ce1d51556683cf3?context=explore
Additional context
Add any other context about the problem here.
+1
Was just about to open this bug myself.
Can only see the terraform form after manually copy-pasting the terraform command from terragrunt's debug output terraform -chdir="..." apply -auto-approve -input=false -var-file="..."
In my case the error was a error in the .tf file.
A quick update, it looks to be specific to some errors (maybe it is due to the format or it is because is is an error happening during provider authentication)
Looks like a duplicate of #3376.
Looks similar yes, I do not have the broken pipe message (I also saw it in other cases) but the other issue also covers this case.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for raising this issue.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
Experience the same issue (the error message not being printed) during the usage of postconditions on data sources. The error is specified in the error_message field, but is not printed.
