aws-service-catalog-engine-for-tfc icon indicating copy to clipboard operation
aws-service-catalog-engine-for-tfc copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

TFC local execution for deploying TRE module

Open wellsiau-aws opened this issue 1 year ago • 2 comments

For customer using TFC to deploy this module, they normally create a new TFC workspace using remote execution mode.

Deploying this module using its default tfe provider configuration will fail:

│ Error: Error creating team aws-service-catalog for organization wellsiau-org: resource not found
│ 
│   with tfe_team.provisioning_team,
│   on tfc_auth.tf line 1, in resource "tfe_team" "provisioning_team":
│    1: resource "tfe_team" "provisioning_team" {

couple potential workaround:

  1. Use local execution mode and store the credential token for tfe locally

  2. Set the TFE_TOKEN environment var on the TFC workspace for authentication

  3. Use secret manager (or Vault) to retrieve the token, probably using an example as shown below.

# Configure the Terraform Cloud / Enterprise provider
provider "tfe" {
  hostname = var.tfc_hostname
  token    = data.aws_secretsmanager_secret_version.tfe_token_secret.secret_string
}

wellsiau-aws avatar Jul 21 '23 04:07 wellsiau-aws

Thanks for this!

I am having the issue you describe - could you please be explicit about how you are storing, and sourcing, the credential token for tfe locally?

In my case, I generated it in the UI, and have tribe both;

  1. Entering it in my CLI config file as such

`terraform { cloud { organization = "example"

workspaces {
  name = "example-engine"
}

} } credentials "app.terraform.io" { token = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" }`

  1. Setting a local environment variable as;

export TFE_TOKEN=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Additionally I have changed the TFC workspace setting to local and set the TFE_TOKEN variable there but the "resource not found" error persists

Thanks

deloitte-lza-test avatar Sep 14 '23 07:09 deloitte-lza-test

@deloitte-lza-test

if you want to test this locally (I still highly recommend to store the token externally , i.e. Secrets Manager)

using the token inside tfe provider block

provider "tfe" {
  hostname = var.hostname # Optional, defaults to Terraform Cloud `app.terraform.io`
  token    = var.token
  version  = "~> 0.48.0"
}

also worth checking if you are using the token with the right permissions to create team in TFC

wellsiau-aws avatar Sep 14 '23 15:09 wellsiau-aws