role_arn can't use values from a terraform_remote_state data source

[icebourg]

Terraform Version

Terraform v0.9.11

Affected Resource(s)

• provider "aws" with an assume_role, with a role_arn that references a value from terraform_remote_state

Terraform Configuration Files

provider "aws" {
  region = "${var.aws_region}"

  profile = "foo"

  assume_role {
    role_arn = "arn:aws:iam::${data.terraform_remote_state.constants.account_ids["production"]}:role/Role"
  }
}


data "terraform_remote_state" "constants" {
  backend = "s3"

  config {
    bucket = "some-bucket"
    key    = "constants.tfstate"

    profile  = "foo"
    role_arn = "arn:aws:iam::1234567890:role/Role"
  }
}

Debug Output

Terraform does not correctly recognize the ARN it needs to assume. This is an example from the debug log:

2017/07/28 13:59:20 [DEBUG] plugin: terraform: aws-provider (internal) 2017/07/28 13:59:20 [INFO] assume_role configuration set: (ARN: "", SessionID:
"", ExternalID: "", Policy: "")

(if you take away ${data.terraform_remote_state.constants.account_ids["production"]} from role_arn and replace it with a hardcoded value, Terraform correctly logs the ARN in debug output)

Panic Output

N/A

Expected Behavior

Terraform should have interpolated the value from the remote state and correctly calculated the ARN which would lead to Terraform performing an STS:AssumeRole with this ARN and performing a successful plan.

Actual Behavior

The debug output shows the ARN is empty, and therefore Terraform does not perform an STS:AssumeRole, and therefore Terraform does not end up with credentials that manage the other resources.

Steps to Reproduce

1. terraform plan --out plan

Important Factoids

I've already been down the road of ensuring that the remote state is correctly loaded by Terraform before the provider. I've also verified the interpolated value is correct, though that doesn't seem to be here nor there since the debug log shows the whole thing interpolates to a blank string.

From the debug log I can see Terraform get the S3 remote state before it calculates the ARN, so Terraform should have the information it needs to correctly calculate the ARN.

I've also verified that I haven't done something dumb by using ${data.terraform_remote_state.constants.account_ids["not_real"]}, which Terraform correctly complains about the key/value not existing.

The documentation providers says that this should work, but something is causing Terraform to incorrectly believe the ARN is a blank string.

We are using this remote state data source all over our Terraform files, and all the values are correct and everything works as expected. I don't think this can be attributed to something simple like a broken remote state. The only place we can't seem to get this to work at all is as an interpolated value for role_arn for the AWS provider.

[radeksimko]

Hi @icebourg
thanks for the report.

Unfortunately this is a known core bug involving cross-provider references (terraform vs aws provider in this case). See hashicorp/terraform#12393

Do you mind me closing this in favour of a more generic issue hashicorp/terraform#4149 ?

[icebourg]

I'm confused. The documentation explicitly says that remote state is a supported for interpolation in providers:

At this time, only variables and data sources, including remote state may be used in an interpolation inside a provider stanza. (source)

I glanced at both of those bug reports, and I think what those issues are trying to accomplish is very different, trying to progressively build a terraform plan. That's not at all what I'm trying to do here.

[radeksimko]

I think you're right, sorry for the confusion.

It should work for data sources.

[robinbowes]

I just hit this same issue.

data "terraform_remote_state" "rds" {
  backend = "s3"

  config {
    bucket = "${var.terraform_state_bucket}"
    key    = "${var.aws_region}/stages/${var.stage}/common/rds-instance/terraform.tfstate"
    region = "${var.terraform_state_region}"
  }
}
provider "mysql" {
  endpoint = "${data.terraform_remote_state.rds.endpoint}"
  username = "${data.terraform_remote_state.rds.username}"
  password = "${data.terraform_remote_state.rds.password}"
  depends_on
}

This fails with:

Error refreshing state: 1 error(s) occurred:

* provider.mysql: dial tcp: missing address

Are we any closer to a fix?

[github-actions]

Marking this issue as stale due to inactivity. This helps our maintainers find and focus on the active issues. If this issue receives no comments in the next 30 days it will automatically be closed. Maintainers can also remove the stale label.

If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thank you!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!