Terraform: Providers not receiving credentials on on <empty> line 0:

Created on 16 Oct 2019 · 17Comments · Source: hashicorp/terraform

Terraform Version

hashicorp/terraform:0.12.10

Terraform Configuration Files

https://github.com/ironPeakServices/infrastructure/tree/feat/dockersecurity

Debug Output

https://github.com/ironPeakServices/infrastructure/pull/9/checks#step:9:31

Crash Output

 Terraform - Plan
##[error]Docker run failed with exit code 1
/usr/bin/docker run --name e959fbae632313889a4f41a6d7bb11d39dd803_77ecaa --label e959fb --workdir /github/workspace --rm -e GITHUB_TOKEN -e TF_VAR_cloudflare_email -e TF_VAR_cloudflare_token -e TF_VAR_github_org -e TF_VAR_github_token -e TF_VAR_scaleway_org -e TF_VAR_scaleway_token -e TF_VAR_ssh_root_public_key -e TF_VAR_ssh_root_private_key -e TF_VAR_ssh_tech_public_key -e INPUT_ARGS -e HOME -e GITHUB_REF -e GITHUB_SHA -e GITHUB_REPOSITORY -e GITHUB_ACTOR -e GITHUB_WORKFLOW -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GITHUB_EVENT_NAME -e GITHUB_WORKSPACE -e GITHUB_ACTION -e GITHUB_EVENT_PATH -e RUNNER_OS -e RUNNER_TOOL_CACHE -e RUNNER_TEMP -e RUNNER_WORKSPACE -e ACTIONS_RUNTIME_URL -e ACTIONS_RUNTIME_TOKEN -e GITHUB_ACTIONS=true -v "/var/run/docker.sock":"/var/run/docker.sock" -v "/home/runner/work/_temp/_github_home":"/github/home" -v "/home/runner/work/_temp/_github_workflow":"/github/workflow" -v "/home/runner/work/infrastructure/infrastructure":"/github/workspace" e959fb:ae632313889a4f41a6d7bb11d39dd803 -state=terraform.tfstate
Refreshing Terraform state in-memory prior to plan...
The refreshed state will be used to calculate this plan, but will not be
persisted to local or remote state storage.

module._docker_master.module.docker.module.node.data.template_file.ssh_conf: Refreshing state...
module._docker_worker.module.docker.module.node.data.template_file.ssh_conf: Refreshing state...
module._docker_master.module.docker.data.template_file.docker_daemon_json: Refreshing state...
module._docker_master.module.docker.data.template_file.docker_conf: Refreshing state...
module._docker_worker.module.docker.data.template_file.docker_conf: Refreshing state...
module._docker_worker.module.docker.data.template_file.docker_daemon_json: Refreshing state...
module._docker_worker.module.docker.module.node.data.scaleway_image.docker: Refreshing state...
module._docker_master.module.docker.module.node.data.scaleway_image.docker: Refreshing state...

Error: credentials are not set correctly

  on <empty> line 0:
  (source code not available)



Error: If `individual` is false, `organization` is required.

  on providers.tf line 6, in provider "github":
   6: provider "github" {

Expected Behavior

The terraform plan should execute without any problems, since e,g. the cloudflare provider has hardcoded foo/bar credentials set by https://github.com/ironPeakServices/infrastructure/commit/9de9d1b8c9d676847428920621b61ef51cdeea35

Actual Behavior

 Error: credentials are not set correctly

  on <empty> line 0:
  (source code not available)

Steps to Reproduce

Run the Github step with all environment variables set.

Additional Context

This used to work fine AFAIK.

bug config v0.12

Source

hazcod

👍6 ❤2

Most helpful comment

Had this issue as well.

Error: credentials are not set correctly

  on <empty> line 0:
  (source code not available)

Fixed by changing the API token variable naming to API key, the token authentication was added recently by Cloudflare.

Previously:

export CLOUDFLARE_EMAIL="my-email"
export CLOUDFLARE_API_TOKEN="my-key"

Now:

export CLOUDFLARE_EMAIL="my-email"
export CLOUDFLARE_API_KEY="my-key"

Provider remains the same

provider cloudflare {}

adinhodovic on 16 Oct 2019

👍5

All 17 comments

Edit: the line is now mentioned somewhat correctly when I removed the first empty newline.

Error: credentials are not set correctly

  on providers.tf line 1, in provider "cloudflare":
   1: provider "cloudflare" {



Error: If `individual` is false, `organization` is required.

  on providers.tf line 9, in provider "github":
   9: provider "github" {

hazcod on 16 Oct 2019

Edit: If I move my provider input credentials to my root providers.tf file, they get picked up.
Any reason the submodule providers variables are not picked up anymore?

hazcod on 16 Oct 2019

Having the same problem. Already opened an issue on the side of azure-cli as well:
https://github.com/Azure/azure-cli/issues/10860

I think they are related.

The exact error i am getting is

Error: Error obtaining Authorization Token from the Azure CLI: Error waiting for the Azure CLI: exit status 1


  on <empty> line 0:
  (source code not available)



Error: Error obtaining Authorization Token from the Azure CLI: Error parsing json result from the Azure CLI: Error waiting for the Azure CLI: exit status 1

  on main.tf line 3, in provider "azurerm":
   3: provider "azurerm" {

alibutt30 on 16 Oct 2019

Had this issue as well.

Error: credentials are not set correctly

  on <empty> line 0:
  (source code not available)

Fixed by changing the API token variable naming to API key, the token authentication was added recently by Cloudflare.

Previously:

export CLOUDFLARE_EMAIL="my-email"
export CLOUDFLARE_API_TOKEN="my-key"

Now:

export CLOUDFLARE_EMAIL="my-email"
export CLOUDFLARE_API_KEY="my-key"

Provider remains the same

provider cloudflare {}

adinhodovic on 16 Oct 2019

👍5

@adinhodovic not sure if it's really related, don't you mean TF_VAR_xxx?

e.g. my github secrets:

variables.tf

variable "cloudflare_email" {}
variable "cloudflare_token" {}
variable "github_token" {}
variable "github_org" {}

main.tf

module "cloudflare" {
    source                  = "./modules/cloudflare"
    cloudflare_email        = "${var.cloudflare_email}"
    cloudflare_token        = "${var.cloudflare_token}"
}

module "github" {
    source                  = "./modules/github"
    github_token            = "${var.github_token}"
    github_organization     = "${var.github_org}"
}

hazcod on 17 Oct 2019

@adinhodovic not sure if it's really related, don't you mean TF_VAR_xxx?

e.g. my github secrets:

variables.tf

variable "cloudflare_email" {}
variable "cloudflare_token" {}
variable "github_token" {}
variable "github_org" {}

main.tf

module "cloudflare" {
    source                  = "./modules/cloudflare"
    cloudflare_email        = "${var.cloudflare_email}"
    cloudflare_token        = "${var.cloudflare_token}"
}

module "github" {
    source                  = "./modules/github"
    github_token            = "${var.github_token}"
    github_organization     = "${var.github_org}"
}

I think you are using an API key as a API token, just what was going wrong for me. Try just changing wherever you define your provider from api_token to api_key, or get a token from Cloudflare(Not key) and pass it instead. Cloudflare recently added authorization tokens, that's why this error popped for me.

adinhodovic on 17 Oct 2019

@adinhodovic that's what I thought too at first sight, but https://github.com/ironPeakServices/infrastructure/blob/feat/dockersecurity/modules/cloudflare/main.tf#L4
(I use global API key)

provider "cloudflare" {
  email   = "${var.cloudflare_email}"
  api_key = "${var.cloudflare_token}"
}

Update: might be related to terraform 11.12. issue: https://github.com/hashicorp/terraform/pull/23040 , since input=false is set by github actions.

hazcod on 17 Oct 2019

It works if I move every variable to my root variables.tf, but not when depending on provider inheritance. Latest terraform.

hazcod on 18 Oct 2019

Still having the above issue with version 0.12.19.
Moved to variables.tf: https://github.com/ironPeakServices/infrastructure/pull/11/checks?check_run_id=396929890

hazcod on 18 Jan 2020

If anyone wants to reproduce this, I just figured out how.

Create something with Terraform such as an empty s3 bucket or ec2 instance so that there is state.
now add the Cloudflare provider, without any arguments and run tf init so it downloads it and recognizes this new provider
comment out the Cloudflare provider
Try to run tf destroy and you will receive this error

Hope these steps help to find an answer!

afmsavage on 15 May 2020

I'm using AWS Secret Manager to retrieve cloudflare credentials. I can create records but I cannot import records. This is the error I'm getting:

Error: credentials are not set correctly

  on ../../modules/public_dns/main.tf line 9, in provider "cloudflare":
   9: provider "cloudflare" {

alfredocambera on 5 Jun 2020

👍2

I'm using AWS Secret Manager to retrieve cloudflare credentials. I can create records but I cannot import records. This is the error I'm getting:
Error: credentials are not set correctly

  on ../../modules/public_dns/main.tf line 9, in provider "cloudflare":
   9: provider "cloudflare" {

I have the same case. Let me add that works fine in the terraform 0.12 but does not in 0.13.

kszarek on 30 Sep 2020

👍3

This issue happens to me when I'm using a "different" provider on where I'm running terraform apply and on modules (please see the following usage, probably will turn my sentence more clear).

TL;DR; required_providers should be consistent between modules and the inventory

./inventory/main.tf

provider "cloudflare" {
  email      = var.cloudflare_email
  account_id = var.account_id
  api_key    = var.cloudflare_token
}

module "records" {
  source = "../modules/cloudflare/records/"

  zone_id  = var.zone_id
  records  = var.records
}

./inventory/versions.tf

terraform {
  required_version = "~> 0.13"
  required_providers {
    cloudflare = {
      source  = "cloudflare/cloudflare"
      version = "~> 2.11"
    }
  }
}

./modules/cloudflare/records/main.tf

resource "cloudflare_record" "this" {
  for_each = var.records

  zone_id = var.zone_id
  name    = each.key
  proxied = lookup(each.value, "proxied", false)
  value   = each.value["record"]
  type    = each.value["type"]
  ttl     = lookup(each.value, "ttl", 1)
}

./modules/cloudflare/records/versions.tf

terraform {
  required_version = "~> 0.13"
  required_providers {
    cloudflare = {
      source  = "terraform-providers/cloudflare"
      version = "~> 2.11"
    }
  }
}

marceloalmeida on 22 Oct 2020

❤1

Can confirm the issue still happens as of 0.13.5:

Error: credentials are not set correctly

  on <empty> line 0:
  (source code not available)

After moving the following things from within module up the root module, all good now:

terraform {
  backend "gcs" {
    bucket = "..."
    prefix = "..."
  }

  required_providers {
    cloudflare = {
      source  = "cloudflare/cloudflare"
      version = "~> 2.13"
    }
  }
}

provider "cloudflare" {
  api_token = "a-long-token-string"
}

gmile on 12 Nov 2020

👍1

Hi folks! I've merged a change that will give a clearer error message when a required provider argument is not provided. Most of the errors here are provider configuration issues, and not terraform issues, so I am going to close this issue. If you are still having problems, please read the providers' documentation or make a post on the forums. Thanks!

mildwonkey on 11 Dec 2020

I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.