Terraform 0.9.11 prompting user for value for provider.aws.region

[revprez]

References

1. terraform prompts several times to enter a provider.aws.region when a certain number of nested modules is reached. #8680

Terraform Version

0.9.11

Affected Resource(s)

Provider aws

Example configuration

Example project is available here.

Project structure

tree .
.
├── README.md
├── deployments
│   └── qa
│       └── promptbug
│           ├── main.tf
│           ├── outputs.tf
│           └── variables.tf
└── modules
    └── providers
        └── aws
            ├── main.tf
            ├── outputs.tf
            ├── variables.tf
            └── variables.tf.template

Key project file contents

modules/providers/aws/variables.tf:

variable "profile" {
  type = "string"
  default = "default"
}

variable "profile" {
  type = "region"
  default = "us-east-1"
}

modules/providers/aws/main.tf:

provider "aws" {
  profile = "${var.profile}"
  region  = "${var.region}"
}

deployments/qa/promptbug/main.tf:

resource "aws_vpc" "promptbug-vpc" {
  cidr_block       = "10.0.0.0/16"

  tags {
    Name = "promptbug-vpc"
  }
}

Expected Behavior

VPC is created without incident or prompt.

Actual Behavior

User is prompted immediately to supply value for provider.aws.region:

$ terraform plan
provider.aws.region
  The region where AWS operations will take place. Examples
  are us-east-1, us-west-2, etc.

  Default: us-east-1
  Enter a value: 

Steps to Reproduce

1. Clone example project available here to a location of your choosing.
2. Execute the following:

$ pushd bug_terraform_aws-provider-region-prompt/deployments/qa/promptbug
$ terraform get
$ terraform plan

[alexrudd]

I'm seeing this too

[libai0915]

getting the same issue. So the atlas plan failed due to this issue.

[alexrudd]

I found out the reason I encountered this issue was because I hadn't created a default aws provider.

My stack was targetting multiple aws accounts so originally all my aws providers had aliases defined, and all my resources referenced one of these provider aliases.

Despite this, Terraform plan/apply was asking for a provider.aws.region value to be given. My work around was just to create a redundant provider which was invalid and is never used.

provider "aws" {
  region     = "not-used"
  access_key = "foo"
  secret_key = "bar"
  
  skip_credentials_validation = true
  skip_region_validation      = true
  skip_requesting_account_id  = true
  skip_get_ec2_platforms      = true
}

I think this is different to the problem the OP is referring to, but hopefully it helps someone.

[joestump]

I'm experiencing this issue as well only I don't have a single aws provider declared in my module. I think it might be related to #8680.

[catherinetcai]

Experiencing this issue as well when running a terraform plan. I'm explicitly passing in the region to the module as a variable, but it's not getting picked up.

[reedflinch]

Having this issue with Terraform v0.11.1 as well.

[JschuttTableau]

I'm seeing this again as well, using v0.11.2. Worked fine in v0.10.8

[salvianreynaldi]

I'm still seeing this in 0.11.7, example module: https://github.com/traveloka/terraform-aws-iam-role/tree/master/modules/service

[apparentlymart]

Hi all! I think there may be a few different causes here leading to the same symptom.

---

@revprez, in your case I see your resource "aws_vpc" "promptbug-vpc" block in deployments/qa/promptbug, but that module doesn't include a provider "aws" block at all, and so it's expected that Terraform would prompt for the provider configuration in that case.

You also have modules/provider/aws which does contain a provider "aws" block, but it doesn't contain any resources, nor any references to any other modules.

As a result, as far as Terraform is concerned you really have two completely-separate configurations here. In order to get the expected behavior, the provider "aws" block must either appear in the same module or an ancestor module to where the resource "aws_vpc" "promptbug-vpc" block appears.

The usual way to arrange things in a multi-environment scenario is to have a root module for each environment, and then factor out the items that are common to all environments into a child module. The provider configurations then live inside the environment-specific root module. In your case, this would mean that your deployments/qa/promptbug might contain something like this:

variable "profile" {
  type = "string"
}

variable "region" {
  type    = "string"
  default = "us-east-1"
}

provider "aws" {
  profile = "${var.profile}"
  region  = "${var.region}"
}

module "vpc" {
  source = "../../modules/vpc"
}

...and then this other directory modules/vpc would contain the aws_vpc resource block:

resource "aws_vpc" "promptbug-vpc" {
  cidr_block       = "10.0.0.0/16"

  tags {
    Name = "promptbug-vpc"
  }
}

The child module, containing the resource "aws_vpc" "promptbug-vpc" block, will then inherit the provider "aws" configuration from its parent. You could then also add deployments/production/promptbug which contains similar blocks but configured in a different way that is appropriate to the production environment.

---

For others who have commented in this issue, without configuration examples I can't be sure exactly what is going on for you, but it may help to understand what causes Terraform to display these input prompts:

Early on in its processing, Terraform goes through a process of associating each resource and data block with a provider configuration. A provider configuration is usually a a provider block, but if no matching block is present Terraform will behave as if an empty one were present, and thus the presence of an aws_vpc resource in the above example implied an empty provider "aws" {} block, even though none was actually given in that module.

The full behavior for this resource-to-provider matching is detailed in Providers within Modules, but here's a summary:

• If a resource or data block has the provider meta-argument set, the given provider configuration is used.
• If no provider meta-argument is present, the first underscore-separated word of the resource type or data source is used as the provider name.
• If there is no provider block for the selected provider configuration, then:
  • In the root module, an empty provider block is implicitly created.
  • In a child module, Terraform walks up the module tree until it finds a matching configuration, or until it reaches the root module where the implied-empty behavior is applied. (There are some subtleties here where module blocks have providers set, but I'll leave Passing Providers Explicitly to describe that.)

(The provider selection behavior changed in Terraform v0.11, so the above is describing v0.11 and does not apply exactly to prior versions. Earlier versions have behavior that is similar in spirit, however.)

Finally, Terraform then visits each of the provider blocks -- whether explicitly in the configuration or implied to be empty -- and checks to see if all of the required arguments are set. If not, an input prompt is displayed. region is a required argument for the aws provider, so it must be set in order to suppress the prompt.

With all of the above in mind, a common cause of unwanted input prompts is having a resource or data block that is not associated with the provider configuration you expected, causing Terraform to create the implied empty configuration instead, and then to prompt for input against that empty configuration.

@salvianreynaldi, this seems to be the reason for the behavior in your example: your root module contains data "aws_iam_policy_document" "this" but that module does not have a provider "aws" block, and so Terraform will create an implied empty one and then prompted for the required region argument.

In most cases, provider blocks belong in the root module where they can then be inherited by all other modules in the configuration. Configuring the provider in the root module (rather than inside the this module) should cause the input prompt to go away, as long as the provider "aws" block in the root contains a value for the region argument, which is required.

---

I hope the above information helps explain the behavior you are all seeing. If you are on Terraform 0.11.0 or higher and are seeing behavior different than I described above, please do open a new issue and share your configuration so we can try to reproduce it. Since the original request here describes expected behavior, I'm going to close this issue.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.