-
Notifications
You must be signed in to change notification settings - Fork 969
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Terraform tries to apply with the service account used to generate the plan #2435
Comments
Hi @kylehodgetts! Can you please share the Also, I'm assuming the service accounts you mentioned are already provisioned and available to use when you run the plan and apply operations that need to use them. Is that correct? |
Hi @alexsomesan Thank you for your quick response, please find it below. I've also added these details to the original issue
Yes that's correct, they are provisioned separately |
So this line in your provider configuration defines which identity (service account or otherwise) the provider will use:
In your case, the provider will always use the default access token GKE issues for your respective GCP identity. What you want to do instead is provide the actual service account tokens from the secrets you created. Depending on how you orchestrate your Terraform runs, there are a few ways to do this. There is no way to distinguish between a Are you able to supply the tokens from your orchestration environment instead? |
One more question: are you by any chance using TFC for orchestrating your runs? |
No, we are not, we are using Gitlab, which authenticates with the readonly user to do a plan when a merge request is opened. Then on merge, the pipeline will assume the terraform full access identity and then apply the plan. This is why im confused why it thinks it should use the terraform-readonly credentials on a completely different pipeline, which is what made me assume that some information about who created the plan was perhaps stored in the plan output itself
I will give this a try and get back to you. Thanks for your input |
When we plan and apply our Terraform, we use a separate service account for planning and applying, a read-only terraform and a terraform-fullaccess service account respectively.
Terraform is trying to use the wrong service account when applying. We suspect terraform is attempting to use the service account used to generate the plan, instead of the active service account when we run the apply.
We don't have this issue with our other providers, hence the issue here.
Terraform Version, Provider Version and Kubernetes Version
Affected Resource(s)
We tested in isolation with the above resources
Terraform Configuration Files
Debug Output
terraform apply gist
Panic Output
Steps to Reproduce
terraform plan -out plan
terraform apply plan
Expected Behavior
We expect that the service account for writing will be used during apply.
Actual Behavior
After authenticating with the "writer" service account, we get an error stating that the readonly user that generated the plan cannot do xyz
Important Factoids
References
Community Note
The text was updated successfully, but these errors were encountered: