[Bug]: Error: failed to get shared config profile

[c0debreaker]

Terraform Core Version

1.10.0

AWS Provider Version

3.12

Affected Resource(s)

Atlantis in ECS Fargate

Expected Behavior

Terraform plan should work but it's failing with Error: failed to get shared config profile.

The command in atlantis log is:

running 'sh -c' '/home/atlantis/.atlantis/bin/terraform1.10.0 init -input=false -upgrade' in '/home/atlantis/.atlantis/repos/terraform/dev-vpc/456/default': exit status 1

Actual Behavior

When using Atlantis version 0.31.0, and we are doing a merge request where atlantis plan is executed on the atlantis server, it fails.

The command executed by atlantis is:

running 'sh -c' '/home/atlantis/.atlantis/bin/terraform1.10.0 init -input=false -upgrade' in '/home/atlantis/.atlantis/repos/terraform/dev-vpc/456/default': exit status 1

The error is:

Error: failed to get shared config profile

This error doesn't happen when using Atlantis 0.17.4

Relevant Error/Panic Output Snippet

running 'sh -c' '/home/atlantis/.atlantis/bin/terraform1.10.0 init -input=false -upgrade' in '/home/atlantis/.atlantis/repos/terraform/dev-vpc/456/default': exit status 1
Initializing the backend...
Upgrading modules...
Downloading git::ssh://git@obscured-server-name/terraform/modules/iam-modules.git?ref=v9.0.0 for atlantis-service-role...
- atlantis-service-role in .terraform/modules/atlantis-service-role/atlantis-service-role
Downloading git::ssh://git@obscured-server-name/terraform/modules/encrypted-ami-cmk-grants.git?ref=v4.1.0 for aws_service_account_ami_encryption_key_access...
- aws_service_account_ami_encryption_key_access in .terraform/modules/aws_service_account_ami_encryption_key_access
Downloading git::ssh://git@obscured-server-name/terraform/modules/aws-secrets-manager-pipelined-application-secret.git?ref=v3.1.0 for billing_aalvideobill_credentials...
- billing_aalvideobill_credentials in .terraform/modules/billing_aalvideobill_credentials
Downloading git::ssh://git@obscured-server-name/terraform/modules/aws-secrets-manager-pipelined-application-secret.git?ref=v3.1.0 for billing_acahvcreportfun_credentials...
- billing_acahvcreportfun_credentials in .terraform/modules/billing_acahvcreportfun_credentials
Downloading git::ssh://git@obscured-server-name/terraform/modules/aws-secrets-manager-pipelined-application-secret.git?ref=v3.1.0 for billing_acpaypointdaily_credentials...
- billing_acpaypointdaily_credentials in .terraform/modules/billing_acpaypointdaily_credentials
Downloading git::ssh://git@obscured-server-name/terraform/modules/aws-secrets-manager-pipelined-application-secret.git?ref=v3.1.0 for billing_acpaypointmonth_credentials...
- billing_acpaypointmonth_credentials in .terraform/modules/billing_acpaypointmonth_credentials
Downloading git::ssh://git@obscured-server-name/terraform/modules/aws-secrets-manager-pipelined-application-secret.git?ref=v3.1.0 for billing_acpurchmonthftp_credentials...
- billing_acpurchmonthftp_credentials in .terraform/modules/billing_acpurchmonthftp_credentials
Downloading git::ssh://git@obscured-server-name/terraform/modules/aws-secrets-manager-pipelined-application-secret.git?ref=v3.1.0 for billing_acpwpmonthlyftp_credentials...
- billing_acpwpmonthlyftp_credentials in .terraform/modules/billing_acpwpmonthlyftp_credentials
Downloading git::ssh://git@obscured-server-name/terraform/modules/aws-secrets-manager-pipelined-application-secret.git?ref=v3.1.0 for billing_defrevfx_credentials...
- billing_defrevfx_credentials in .terraform/modules/billing_defrevfx_credentials
Downloading git::ssh://git@obscured-server-name/terraform/modules/aws-secrets-manager-pipelined-application-secret.git?ref=v3.1.0 for billing_refundreportfun_credentials...
- billing_refundreportfun_credentials in .terraform/modules/billing_refundreportfun_credentials
Downloading git::ssh://git@obscured-server-name/terraform/modules/aws-secrets-manager-pipelined-application-secret.git?ref=v3.1.0 for billing_sftpgateway_aws_creds_credentials...
- billing_sftpgateway_aws_creds_credentials in .terraform/modules/billing_sftpgateway_aws_creds_credentials
Downloading git::ssh://git@obscured-server-name/terraform/modules/aws-secrets-manager-pipelined-application-secret.git?ref=v3.1.0 for billing_sftpgateway_sftp_list_credentials...
- billing_sftpgateway_sftp_list_credentials in .terraform/modules/billing_sftpgateway_sftp_list_credentials
Downloading git::ssh://git@obscured-server-name/terraform/modules/aws-secrets-manager-pipelined-application-secret.git?ref=v3.1.0 for billing_testuserrefund_credentials...
- billing_testuserrefund_credentials in .terraform/modules/billing_testuserrefund_credentials
Downloading git::ssh://git@obscured-server-name/terraform/modules/cloudformation.git?ref=v2.1.0 for cdk_app_alb_canary_cf...
- cdk_app_alb_canary_cf in .terraform/modules/cdk_app_alb_canary_cf/cdk-app-alb-canary
Downloading git::ssh://git@obscured-server-name/terraform/modules/cloudformation.git?ref=v2.1.0 for cdk_toolkit_environment...
- cdk_toolkit_environment in .terraform/modules/cdk_toolkit_environment/cdk-toolkit
Downloading git::ssh://git@obscured-server-name/terraform/modules/route53-resolvers.git?ref=v4.1.0 for chicago_lab_dns_resolver...
- chicago_lab_dns_resolver in .terraform/modules/chicago_lab_dns_resolver/modules/chicago-lab-outbound-resolver-target
- chicago_lab_dns_resolver.chicago_lab_dns_resolver in .terraform/modules/chicago_lab_dns_resolver/modules/outbound-resolver-target
Downloading git::ssh://git@obscured-server-name/terraform/modules/aws-secrets-manager-pipelined-application-secret.git?ref=v3.1.0 for coreapis_stripeevents_credentials...
- coreapis_stripeevents_credentials in .terraform/modules/coreapis_stripeevents_credentials
Downloading git::ssh://git@obscured-server-name/terraform/vpc-flow-logs.git?ref=v1.0.0 for flow_log...
- flow_log in .terraform/modules/flow_log/modules/standard-s3-vpc-flow-log
- flow_log.naming in .terraform/modules/flow_log/modules/private/resource-naming
Downloading git::ssh://git@obscured-server-name/terraform/modules/iam-modules.git?ref=v9.0.0 for iam-roles-general...
- iam-roles-general in .terraform/modules/iam-roles-general/iam-roles-general
Downloading git::ssh://git@obscured-server-name/terraform/modules/iam-modules.git?ref=v9.0.0 for iam-roles-pipeline...
- iam-roles-pipeline in .terraform/modules/iam-roles-pipeline/iam-roles-pipeline
Downloading git::ssh://git@obscured-server-name/terraform/modules/aws-vpc-service-endpoints.git?ref=v3.0.0 for interface_endpoints...
- interface_endpoints in .terraform/modules/interface_endpoints
Downloading git::ssh://git@obscured-server-name/terraform/modules/jenkinsqe-iam-resources.git?ref=v1.0.3 for jenkinsqe_node_launcher_role...
- jenkinsqe_node_launcher_role in .terraform/modules/jenkinsqe_node_launcher_role
Downloading git::ssh://git@obscured-server-name/terraform/elastic-load-balancer-access-logs.git?ref=v1.0.0 for load_balancer_access_log_bucket...
- load_balancer_access_log_bucket in .terraform/modules/load_balancer_access_log_bucket/modules/storage-bucket-lookup
- load_balancer_access_log_bucket.naming in .terraform/modules/load_balancer_access_log_bucket/modules/private/storage-bucket-naming
Downloading git::ssh://git@obscured-server-name/terraform/modules/route53-resolvers.git?ref=v4.2.0 for on_pre_corpit_domains...
- on_pre_corpit_domains in .terraform/modules/on_pre_corpit_domains/modules/corpit-azure-outbound-forwarding-resolver-target
- on_pre_corpit_domains.corpit_azure_dns_resolver in .terraform/modules/on_pre_corpit_domains/modules/outbound-resolver-target
Downloading git::ssh://git@obscured-server-name/terraform/modules/pipeline-deployment-environment-metadata.git?ref=v3.1.2 for pipeline_environment_metadata...
- pipeline_environment_metadata in .terraform/modules/pipeline_environment_metadata
Downloading git::ssh://git@obscured-server-name/terraform/modules/aws-secrets-manager-pipelined-application-secret.git?ref=v3.1.0 for product_pimcoremc_aws_creds_credentials...
- product_pimcoremc_aws_creds_credentials in .terraform/modules/product_pimcoremc_aws_creds_credentials
Downloading git::ssh://git@obscured-server-name/terraform/modules/aws-secrets-manager-pipelined-application-secret.git?ref=v3.1.0 for product_pimcoremcdev_aws_creds_credentials...
- product_pimcoremcdev_aws_creds_credentials in .terraform/modules/product_pimcoremcdev_aws_creds_credentials
Downloading git::ssh://git@obscured-server-name/terraform/modules/route53-resolvers.git?ref=v4.3.6 for route53_private_outbound_resolver...
- route53_private_outbound_resolver in .terraform/modules/route53_private_outbound_resolver/modules/outbound-resolver
Downloading git::ssh://git@obscured-server-name/terraform/route53-query-logs.git?ref=v1.0.0 for route53_resolver_logs...
- route53_resolver_logs in .terraform/modules/route53_resolver_logs/modules/organization-resolver-query-log-config-association
Downloading git::ssh://git@obscured-server-name/terraform/modules/security-groups.git?ref=v3.6.9 for security-enabled...
- security-enabled in .terraform/modules/security-enabled/security-enabled
Downloading git::ssh://git@obscured-server-name/terraform/modules/subnets.git?ref=v2.0.5 for security-enabled.subnets...
- security-enabled.subnets in .terraform/modules/security-enabled.subnets
Downloading git::ssh://git@obscured-server-name/terraform/modules/security-groups.git?ref=v3.6.9 for security-enabled-dev...
- security-enabled-dev in .terraform/modules/security-enabled-dev/security-enabled/public-inter-vpc-bad-description
- security-enabled-dev.public-inter-vpc in .terraform/modules/security-enabled-dev/security-enabled/public-inter-vpc
Downloading git::ssh://git@obscured-server-name/terraform/modules/subnets.git?ref=v2.0.5 for security-enabled-dev.public-inter-vpc.subnets...
- security-enabled-dev.public-inter-vpc.subnets in .terraform/modules/security-enabled-dev.public-inter-vpc.subnets
Downloading git::ssh://git@obscured-server-name/terraform/modules/security-groups.git?ref=v3.6.9 for security-enabled-non-prod...
- security-enabled-non-prod in .terraform/modules/security-enabled-non-prod/security-enabled-non-prod
Downloading git::ssh://git@obscured-server-name/terraform/modules/subnets.git?ref=v2.0.5 for security-enabled-non-prod.subnets...
- security-enabled-non-prod.subnets in .terraform/modules/security-enabled-non-prod.subnets
Downloading git::ssh://git@obscured-server-name/terraform/modules/aws-secrets-manager-pipelined-application-secret.git?ref=v3.1.0 for webappslabs_ifcsyncsrv_credentials...
- webappslabs_ifcsyncsrv_credentials in .terraform/modules/webappslabs_ifcsyncsrv_credentials
╷
│ Error: failed to get shared config profile, build
│ 
│ 
╵

Terraform Configuration Files

provider "aws" {
  profile = "build"

  allowed_account_ids = [
    "99999999999",
  ]

  region = local.aws_region
}

provider "aws" {
  alias   = "master"
  profile = "master"

  region = local.aws_region
}

terraform {
  required_version = ">= 1.0.0"
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 3.12"
    }
  }

  backend "s3" {
    bucket         = "acme-devops-terraform-state"
    key            = "terraform/atlantis/terraform.tfstate"
    region         = "us-east-1"
    dynamodb_table = "acme-devops-terraform-state-lock"
    profile        = "build"
  }
}

data "terraform_remote_state" "gitlab_application" {
  backend = "s3"

  config = {
    bucket         = "acme-devops-terraform-state"
    key            = "gitlab/application/terraform.tfstate"
    region         = "us-east-1"
    dynamodb_table = "acme-devops-terraform-state-lock"
    profile        = "build"
  }
}

Steps to Reproduce

1. Update Atlantis to 0.31.0 version and run it in ECS Fargate
2. Using the terraform config above, make an merge or pull request

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

None

[github-actions]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[c0debreaker]

This is so weird. How come, I got rid of the error after removing profile = "build" inside the backend and config. It was working fine before when using Atlantis 0.17.4 but not with Atlantis 0.31.0? The terraform version being used in Atlantis were the same. Why would it matter?

[justinretzolk]

Hey @c0debreaker 👋 Thank you for taking the time to raise this! Am I understanding correctly that you're using consistent versions of Terraform and the AWS Provider, and the only change was the version of Atlantis? If that's the case, you'll need to open an issue with Atlantis (note for any other readers: I see you've already done so).

If you're also changing versions of the AWS Provider, you may have run into the same issue reported in #34444, which looks fairly similar. Otherwise, I found a few other issues that may have clues (the logging from Atlantis isn't telling me a whole lot, but I've not spent much time with the project):

#33064
#25905
#25129

Like I mentioned, it's a bit unclear to me as to where the error is coming from at this point, but that removing the profile from the backend configuration resolves it points more towards the S3 backend (which is part of Terraform Core) than the AWS Provider itself. With that in mind, I looked at the Terraform Core repository as well, and found a couple of reports that looked pretty similar. Unfortunately they don't seem wildly helpful, but I wanted to link them just in case.

hashicorp/terraform#35145
hashicorp/terraform#35464
hashicorp/terraform#35091