Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Initalizing dependencies fails when state is encrypted #3495

Open
norman-zon opened this issue Oct 18, 2024 · 3 comments
Open

Initalizing dependencies fails when state is encrypted #3495

norman-zon opened this issue Oct 18, 2024 · 3 comments
Labels
bug Something isn't working

Comments

@norman-zon
Copy link

norman-zon commented Oct 18, 2024
edited
Loading

Describe the bug

When the state of a dependency is encrypted and the dependency is not initialised, any terragrunt command in the dependant module fails.

Steps To Reproduce

  • Create two terraform modules A and B.
  • B is a dependency of A.
  • run terraform apply in both.
  • verify terragrunt plan works in A.
  • rm -rf .terragrunt-cache in B.
  • verify terragrunt plan still works in A
  • encrypt the state of B and rm -rf .terraform-cache again.
  • run terragrunt plan in A.
  • A fails with: 
    ERROR  Failed to execute "tofu output -json" in ../B/.terragrunt-cache/779213818
│ Error: Required plugins are not installed
  • un-encrypt state of B and rm -rf .terraform-cache.
  • verify terragrunt plan works again in A.

I created a minimal example repo unfortunately in this minimal setup I can not reproduce the issue.
Any advice what I should look out for in my real production setup, that could make the difference?

Expected behavior

State encryption does not alter the behaviour of dependencies

Versions

  • Terragrunt version: 0.68.3
  • OpenTofu/Terraform version: 1.8.3
  • Environment details: MacOS, can reproduce in CI under Ubuntu22.04

If you need further details I am happy to help out.
@norman-zon norman-zon added the bug Something isn't working label Oct 18, 2024
@norman-zon
Copy link
Author

norman-zon commented Oct 18, 2024
edited
Loading

When running with debug logging I see

16:59:56.571 STDERR [../B] tofu: Error loading state: Unsupported state file format: This state file is encrypted and can not be read without an encryption configuration

The encryption config for B is added via a generate block, like in my example. But I notice, that after the failed run .terragrunt-cache in B is empty. Is this somehow an issue of order of execution maybe?

I think the main difference between the example and my real environment is the example using local state.

@norman-zon
Copy link
Author

Indeed!
When using a remote_state {} block in my example I can reproduce the issue.

So my guess is remote state is accessed before the generate blocks are executed? And therefore the encryption config is missing, if it is defined in a generate block.

@denis256
Copy link
Member

Hi,
AFAIK, Terragrunt accesses the remote state before running the generate block to check for configuration drifts.

I bypass this was thinking about:

  • try running with --terragrunt-disable-bucket-update to see if it will skip checking this part
  • extract config generation in an external script and invoke it through run_cmd

https://terragrunt.gruntwork.io/docs/reference/cli-options/#terragrunt-disable-bucket-update

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@denis256 @norman-zon