Terraform Cloud authentication token variable not working

[marcincuber]

Terraform Version

0.12.3

Terraform Configuration Files

terraform {
  required_version = "~> 0.12.3"

  backend "remote" {
    hostname = "app.terraform.io"
  }
}

Crash Output

terraform init -backend-config=backend_configs/test.hcl && terraform validate && terraform plan -var-file=vars/test.tfvars
Initializing modules...

Initializing the backend...

Error: Required token could not be found

Make sure you configured a credentials block for app.terraform.io in your CLI
Config File.

make: *** [tf-plan-test] Error 1

Expected Behavior

After exporting TFE_TOKEN I should be able to pull the terraform backend from terraform cloud.

Actual Behavior

Getting an error which suggests to me that the environment variable TFE_TOKEN doesn't work.

Steps to Reproduce

1. export TFE_TOKEN=xyz
2. terraform init...
3. terraform plan...

Additional Context

Docs -> https://www.terraform.io/docs/providers/tfe/index.html suggest that environment variable TFE_TOKEN should work just fine and terraform should be able to authenticate just fine.

[codeflows]

I think the documentation might be incorrect, as #18642 seems to have removed the support for TFE_TOKEN

[teamterraform]

Hi @marcincuber!

The TFE_TOKEN is still supported by the tfe provider, but that doesn't apply to the remote backend. The current way to set credentials (which will work for all interactions with Terraform Cloud) is to use CLI config file credentials blocks.

The reason we are phasing out the TFE_TOKEN environment variable is that it does not give enough information: tokens are host-specific, and so the single TFE_TOKEN variable creates an easy pitfall of accidentally sending your private-instance credentials to app.terraform.io by having that environment variable set.

The credentials configuration block, on the other hand, specifies credentials explicitly for a particular host. If you write a credentials block for tfe.example.com then Terraform will never send those credentials to app.terraform.io:

credentials "app.terraform.io" {
  # host-specific credentials
}

credentials "tfe.example.com" {
  # host-specific credentials
}

The environment variable remains supported on the provider for now because it is lagging behind on the deprecation process, but we'd recommend using the credentials file mechanism in all cases moving forward since that is the most robust mechanism and the one that will continue to be supported.

The legacy TFE_TOKEN variable is already omitted from the remote backend documentation, so it seems like the documentation is accurate for the current situation. In a future release when TFE_TOKEN is removed from the tfe provider too, the provider's documentation will presumably be updated along with it.

We hope this helps clarify the situation! Since the remote backend is working as intended here, we're going to close this out now.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.