terraform-provider-google
terraform-provider-google copied to clipboard
hashicorp
Unable to import resources? (with TFE?)
Community Note
- Please vote on this issue by adding a π reaction to the original issue to help the community and maintainers prioritize this request.
- Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
- If you are interested in working on this issue or have submitted a pull request, please leave a comment.
- If an issue is assigned to the
modular-magicianuser, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If an issue is assigned to a user, that user is claiming responsibility for the issue. If an issue is assigned tohashibot, a community member has claimed the issue already.
Terraform Version
Terraform v1.2.8
on darwin_amd64
+ provider registry.terraform.io/hashicorp/google v4.30.0
+ provider registry.terraform.io/hashicorp/null v3.1.1
Affected Resource(s)
google_container_node_pool
Terraform Configuration Files
# (It's a lengthy module; I don't think it is necessary, here.)
Debug Output
Debug Output
2022-08-25T16:43:04.081-0400 [WARN] ValidateProviderConfig from "provider[\"registry.terraform.io/hashicorp/google\"]" changed the config value, but that value is unused
2022-08-25T16:43:04.082-0400 [INFO] provider.terraform-provider-google_v4.30.0_x5: 2022/08/25 16:43:04 [INFO] Authenticating using DefaultClient...: timestamp=2022-08-25T16:43:04.082-0400
2022-08-25T16:43:04.082-0400 [INFO] provider.terraform-provider-google_v4.30.0_x5: 2022/08/25 16:43:04 [INFO] -- Scopes: [https://www.googleapis.com/auth/cloud-platform https://www.googleapis.com/auth/userinfo.email]: timestamp=2022-08-25T16:43:04.082-0400
2022-08-25T16:43:04.082-0400 [INFO] provider.terraform-provider-google_v4.30.0_x5: 2022/08/25 16:43:04 [INFO] Authenticating using DefaultClient...: timestamp=2022-08-25T16:43:04.082-0400
2022-08-25T16:43:04.082-0400 [INFO] provider.terraform-provider-google_v4.30.0_x5: 2022/08/25 16:43:04 [INFO] -- Scopes: [https://www.googleapis.com/auth/cloud-platform https://www.googleapis.com/auth/userinfo.email]: timestamp=2022-08-25T16:43:04.082-0400
2022-08-25T16:43:04.082-0400 [INFO] provider.terraform-provider-google_v4.30.0_x5: 2022/08/25 16:43:04 [DEBUG] Waiting for state to become: [success]: timestamp=2022-08-25T16:43:04.082-0400
2022-08-25T16:43:04.335-0400 [INFO] provider.terraform-provider-google_v4.30.0_x5: 2022/08/25 16:43:04 [INFO] error retrieving userinfo for your provider credentials. have you enabled the 'https://www.googleapis.com/auth/userinfo.email' scope? error: error retrieving userinfo for your provider credentials. have you enabled the 'https://www.googleapis.com/auth/userinfo.email' scope? error: Get "https://openidconnect.googleapis.com/v1/userinfo?alt=json": oauth2: cannot fetch token: 400 Bad Request
Response: {
"error": "invalid_grant",
"error_description": "Bad Request"
}: timestamp=2022-08-25T16:43:04.334-0400
2022-08-25T16:43:04.335-0400 [INFO] provider.terraform-provider-google_v4.30.0_x5: 2022/08/25 16:43:04 [INFO] Terraform is using this identity:: timestamp=2022-08-25T16:43:04.334-0400
2022-08-25T16:43:04.335-0400 [INFO] provider.terraform-provider-google_v4.30.0_x5: 2022/08/25 16:43:04 [DEBUG] matching ID [snip]/pool2 to regex (?P<project>[^/]+)/(?P<location>[^/]+)/(?P<cluster>[^/]+)/(?P<name>[^/]+).: timestamp=2022-08-25T16:43:04.335-0400
2022-08-25T16:43:04.335-0400 [INFO] provider.terraform-provider-google_v4.30.0_x5: 2022/08/25 16:43:04 [DEBUG] importing project = [snip]: timestamp=2022-08-25T16:43:04.335-0400
2022-08-25T16:43:04.335-0400 [INFO] provider.terraform-provider-google_v4.30.0_x5: 2022/08/25 16:43:04 [DEBUG] importing location = us-east1-a: timestamp=2022-08-25T16:43:04.335-0400
2022-08-25T16:43:04.335-0400 [INFO] provider.terraform-provider-google_v4.30.0_x5: 2022/08/25 16:43:04 [DEBUG] importing cluster = [snip]: timestamp=2022-08-25T16:43:04.335-0400
2022-08-25T16:43:04.335-0400 [INFO] provider.terraform-provider-google_v4.30.0_x5: 2022/08/25 16:43:04 [DEBUG] importing name = pool2: timestamp=2022-08-25T16:43:04.335-0400
2022-08-25T16:43:04.335-0400 [INFO] provider.terraform-provider-google_v4.30.0_x5: 2022/08/25 16:43:04 [DEBUG] parent cluster [snip] does not match regex projects/(?P<project>[^/]+)/locations/(?P<location>[^/]+)/clusters/(?P<name>[^/]+): timestamp=2022-08-25T16:43:04.335-0400
2022-08-25T16:43:04.335-0400 [INFO] provider.terraform-provider-google_v4.30.0_x5: 2022/08/25 16:43:04 [DEBUG] Waiting for state to become: [success]: timestamp=2022-08-25T16:43:04.335-0400
2022-08-25T16:43:04.336-0400 [INFO] provider.terraform-provider-google_v4.30.0_x5: 2022/08/25 16:43:04 [INFO] Instantiating GKE client for path https://container.googleapis.com/: timestamp=2022-08-25T16:43:04.335-0400
2022-08-25T16:43:04.336-0400 [INFO] provider.terraform-provider-google_v4.30.0_x5: 2022/08/25 16:43:04 [DEBUG] Retry Transport: starting RoundTrip retry loop: timestamp=2022-08-25T16:43:04.336-0400
2022-08-25T16:43:04.336-0400 [INFO] provider.terraform-provider-google_v4.30.0_x5: 2022/08/25 16:43:04 [DEBUG] Retry Transport: request attempt 0: timestamp=2022-08-25T16:43:04.336-0400
2022-08-25T16:43:04.336-0400 [INFO] provider.terraform-provider-google_v4.30.0_x5: 2022/08/25 16:43:04 [DEBUG] Google API Request Details:
---[ REQUEST ]---------------------------------------
GET /v1/projects/[snip]/locations/us-east1-a/clusters/[snip]?alt=json&prettyPrint=false HTTP/1.1
Host: container.googleapis.com
User-Agent: google-api-go-client/0.5 Terraform/1.2.8 (+https://www.terraform.io) Terraform-Plugin-SDK/2.10.1 terraform-provider-google/dev
X-Goog-Api-Client: gl-go/1.16.14 gdcl/0.82.0
Accept-Encoding: gzip
-----------------------------------------------------: timestamp=2022-08-25T16:43:04.336-0400
2022-08-25T16:43:04.354-0400 [DEBUG] provider.stdio: received EOF, stopping recv loop: err="rpc error: code = Unavailable desc = transport is closing"
2022-08-25T16:43:04.356-0400 [DEBUG] provider: plugin process exited: path=.terraform/providers/registry.terraform.io/hashicorp/null/3.1.1/darwin_amd64/terraform-provider-null_v3.1.1_x5 pid=10216
2022-08-25T16:43:04.356-0400 [DEBUG] provider: plugin exited
2022-08-25T16:43:04.375-0400 [INFO] provider.terraform-provider-google_v4.30.0_x5: 2022/08/25 16:43:04 [DEBUG] Retry Transport: Stopping retries, last request failed with non-retryable error: oauth2: cannot fetch token: 400 Bad Request
Response: {
"error": "invalid_grant",
"error_description": "Bad Request"
}: timestamp=2022-08-25T16:43:04.375-0400
2022-08-25T16:43:04.375-0400 [INFO] provider.terraform-provider-google_v4.30.0_x5: 2022/08/25 16:43:04 [DEBUG] Retry Transport: Returning after 1 attempts: timestamp=2022-08-25T16:43:04.375-0400
2022-08-25T16:43:04.375-0400 [ERROR] provider.terraform-provider-google_v4.30.0_x5: Response contains error diagnostic: tf_req_id=3e580b11-9e4b-ddaf-e7af-3a38cd6a391c tf_resource_type=google_container_node_pool @caller=github.com/hashicorp/[email protected]/tfprotov5/internal/diag/diagnostics.go:56 @module=sdk.proto diagnostic_summary="Get "https://container.googleapis.com/v1/projects/[snip]/locations/us-east1-a/clusters/[snip]?alt=json&prettyPrint=false": oauth2: cannot fetch token: 400 Bad Request
Response: {
"error": "invalid_grant",
"error_description": "Bad Request"
}" tf_proto_version=5.2 tf_provider_addr=provider tf_rpc=ImportResourceState diagnostic_detail= diagnostic_severity=ERROR timestamp=2022-08-25T16:43:04.375-0400
2022-08-25T16:43:04.376-0400 [ERROR] vertex "module.[snip].google_container_node_pool.node_pool[\"pool2\"] (import id \"[snip]/us-east1-a/[snip]/pool2\")" error: Get "https://container.googleapis.com/v1/projects/[snip]/locations/us-east1-a/clusters/[snip]?alt=json&prettyPrint=false": oauth2: cannot fetch token: 400 Bad Request
Response: {
"error": "invalid_grant",
"error_description": "Bad Request"
}
β·
β Warning: Value for var.bridgecrew_token unavailable
β
β The value of variable "bridgecrew_token" is marked as sensitive in the remote workspace. This operation always runs locally, so the value for that variable is not available.
β΅
β·
β Error: Get "https://container.googleapis.com/v1/projects/[snip]/locations/us-east1-a/clusters/[snip]?alt=json&prettyPrint=false": oauth2: cannot fetch token: 400 Bad Request
β Response: {
β "error": "invalid_grant",
β "error_description": "Bad Request"
β }
β
β
β΅
2022-08-25T16:43:04.633-0400 [DEBUG] provider.terraform-provider-google_v4.30.0_x5: 2022/08/25 16:43:04 [DEBUG] [core] [Server #1 ListenSocket #2] ListenSocket deleted
2022-08-25T16:43:04.633-0400 [DEBUG] provider.terraform-provider-google_v4.30.0_x5: 2022/08/25 16:43:04 [DEBUG] [transport] transport: http2Server.HandleStreams failed to read frame: read unix /var/folders/gk/lygtd_4d6x3f6l8k2k2pvczc0000gn/T/plugin059783194->: use of closed network connection
2022-08-25T16:43:04.633-0400 [DEBUG] provider.stdio: received EOF, stopping recv loop: err="rpc error: code = Unavailable desc = transport is closing"
2022-08-25T16:43:04.638-0400 [DEBUG] provider: plugin process exited: path=.terraform/providers/registry.terraform.io/hashicorp/google/4.30.0/darwin_amd64/terraform-provider-google_v4.30.0_x5 pid=10215
2022-08-25T16:43:04.638-0400 [DEBUG] provider: plugin exited
Panic Output
Expected Behavior
The resource gets imported.
Actual Behavior
terraform import fails with errors. (And not useful ones, neitherβ¦)
Steps to Reproduce
terraform import 'module.[snip].google_container_node_pool.node_pool["pool2"]' [snip]/us-east1-a/[snip]/pool2
Important Factoids
TFE; the workspace is configured with a service account, but locally, it's me, of course.
In past experience with other providers, Terraform will use different authentication details for terraform import (typically the local ones) than it will for terraform plan/terraform apply (typically the remote ones).
Either account should have sufficient access.
References
@roy-work those two import command work for me.
Did you notice below error? You might want to fix this problem first. Are you able to create a cluster with the same account?
oauth2: cannot fetch token: 400 Bad Request
Did you notice below error? You might want to fix this problem first.
Not only did I see it, it is the core of this issue. I consider it a bug in terraform; if it is something I need to correct (I don't believe it is) the diagnostic TF is emitting is too vague to be helpful enough to understand what it is I am doing wrong.
Are you able to create a cluster with the same account?
Yes, via the website console / UI. GCP's gcloud has proven somewhat opaque and difficult to use. But, and again, my account should have sufficient access to do what I'm doing here. (I'm not creating a cluster, I'm importing a node pool within it. I have both "Cloud Browser" and "Owner" over the project.)
You say they "work for you"; out of curiosity, are you using TFE as a backend? Given how weirdly TFE, imports, & auth interact, I think that very well could make or break the bug.
@roy-work all what I did was to test the provider's import functionality. This is what the repo focuses on. Without knowing further, I can't comment what happened to your issue. The issue could well be in other tools. You probably want to debug by separating the tools and step by step. If you can repro the issue at the resource level, please provide the config and steps so I can repro the issue. Does this make sense?
Does this make sense?
No. I have a particular resource here, in my instance, which fails, repeatedly, and I've no idea on how to make forward progress with that, given that the diagnostic, again β presumably from the provider β is useless. All I really can tell from it is that it is an auth issue; but since I have a valid gcloud auth locally, and the credentials supplied to TFE suffice/work for other operations, "bad auth" doesn't seem to be the actual root cause.
(Further, that the error code returned is 400 indicates it to be a bug in the provider.)
The issue could well be in other tools. You probably want to debug by separating the tools and step by step.
It's not realistic to separate TFE out; we're not exporting the entire project from it to accomplish an import, which ought to be a trivial operation. Again, I don't know if it is TFE that is the problem, but I think it would be prudent to replicate the issue within TFE, given how utterly bizarrely TFE handles authentication with imports (i.e., that it doesn't do the import in TFE, but rather seems to do it with the local user's credentials). I sort of thought this would be a small request, given that both provider & TFE are Hashi-managed projects.
@roy-work if you can run terraform apply with an account, I can't think of any reason that terraform import can't be run with the same account. Did I miss anything here?
if you can run
terraform applywith an account, I can't think of any reason thatterraform importcan't be run with the same account. Did I miss anything here?
Again, my guess is and continues to be that terraform import is run locally, whereas terraform apply is not, when TF is remote (i.e., when it is TFE or TF Cloud). (Aside from updating the state; the new state is, ofc., stored on the remote. But the provider calls to actually determine the state during the import happen, AFAICT, locally.)
@roy-work where the state resides is specified at the terraform provider configuration. terraform import and terraform apply should use the same config if you are using the config https://www.terraform.io/language/providers/requirements#requiring-providers
Again this is a question that appears to be about how to use the terraform. At the provider level, there is no diff in term of state and the permissions of the runner. If you are able to create a resource, you should be able to import it as well.
Instead of using the default settings, maybe you can try by providing a provider config block in your code for both apply and import. If you still see the problem, please share the debug logs of both apply and import executions so I can take a closer look.
@roy-work you might want to review how to config the provider. If you are able to create a resource, you should be able to import the same resource using the same terraform runner account. I am closing the issue now. Feel free to reopen if you want to continue the conversation
I'm going to lock this issue because it has been closed for 30 days β³. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}