Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Making calls to provider on startup, triggering authentication prompts #1778

Open
1 task
Michagogo opened this issue Jul 28, 2024 · 4 comments
Open
1 task

Making calls to provider on startup, triggering authentication prompts #1778

Michagogo opened this issue Jul 28, 2024 · 4 comments
Labels
bug Something isn't working

Comments

@Michagogo
Copy link

Language Server Version

Unknown - LS installed via VS Code extension, doesn’t seem to be in path

Terraform Version

Terraform v1.6.2 on windows_amd64

Client Version

HashiCorp Terraform v2.32.1 in VS Code 1.91.1

Terraform Configuration

All / N/A

Steps to Reproduce

Open a folder containing Terraform configuration (in my case, involving AWS)

Expected Behavior

Nothing special - the extension/LS should initialize and just work.

Actual Behavior

For some reason, there seems to be some kind of call being made using the AWS SDK. The credential-process I use in my profiles gets invoked, bringing up interactive prompts to sign in, supply MFA, authorize the CLI, etc. etc.

Gist

No response

Workarounds

No response

References

No response

Help Wanted

  • I'm interested in contributing a fix myself

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment
@Michagogo Michagogo added the bug Something isn't working label Jul 28, 2024
@dbanck
Copy link
Member

dbanck commented Jul 29, 2024

Hi @Michagogo,
I'm not familiar with AWS CLI credential processes, but it is most likely that this is the cause.

To confirm this theory, can you try running terraform version in one of the directories you tried to open in VS Code? I could imagine that the credential wrappers are somehow wrapping terraform commands and each command is triggering authentication, although not all commands will ever need authentication.

If you confirm that auth is triggered by terraform version then I would look into whether the tooling can exclude commands that never require auth, e.g. terraform version or terraform fmt.

In general - as with most VS Code extensions - the extension will do nothing until/unless it is activated. In this case, it can be activated by opening a folder (workspace in VS Code terms) with appropriate file extensions, such as *.tf or *.tfvars. A file does not have to be edited for the extension to be activated.

The extension may also execute terraform providers schema -json under certain circumstances, but this should only be triggered after files have been opened.

@Michagogo
Copy link
Author

Hi, sorry, if it wasn’t clear this is indeed happening when the extension is being activated — e.g. when I open VSC in the morning and it loads the folders I’ve previously had active.

The credential process isn’t a wrapper for anything, it’s a command line configured in the AWS config file for each profile that’s invoked by the SDK, CLI, etc. to fetch/generate credentials when necessary.

terraform version doesn’t do anything. terraform providers schema -json, however, does seem to be triggering this behavior — what is the LS/extension doing with that command that would require AWS SDK/API calls involving credentials?

@rifelpet
Copy link

I'm also seeing this with AWS SSO. For a ~/.aws/config profile that looks like this:

[profile test]
sso_start_url=https://d-foobar.awsapps.com/start
sso_account_id=1234567890
sso_role_name=foo
sso_region=us-east-1
region=us-east-1

and a terraform configuration like this, where both the AWS provider and the S3 backend use the above profile:

terraform {
  required_version = ">= 1.9.2"

  backend "s3" {
    region  = "us-east-1"
    bucket  = "foo"
    key     = "bar"
    profile = "test"
  }
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "5.63.0"
    }
  }
}

provider "aws" {
  region  = "us-east-1"
  profile = "test"
}

Just opening VSCode in a workspace that includes this directory will trigger the SSO authentication prompts. It only happens if the directory already had terraform init ran previously and the SSO session expired or was cleared since then. It also only happens if a .tf file in the directory is open in VSCode, including if you use the "window.restoreWindows": "all" VSCode setting and close and re-open a VSCode workspace.

I can confirm that terraform version does not trigger the prompts but terraform providers schema -json does. Here are the trace logs:

2024-08-19T16:58:55.264-0500 [INFO]  CLI command args: []string{"providers", "schema", "-json"}
2024-08-19T16:58:55.265-0500 [TRACE] Meta.Backend: BackendOpts.Config not set, so using settings loaded from main.tf:4,3-15
2024-08-19T16:58:55.265-0500 [TRACE] Meta.Backend: built configuration for "s3" backend with hash value 2638453018
2024-08-19T16:58:55.265-0500 [TRACE] Meta.Backend: working directory was previously initialized for "s3" backend
2024-08-19T16:58:55.265-0500 [TRACE] backendConfigNeedsMigration: given configuration matches cached configuration, so no migration is required
2024-08-19T16:58:55.265-0500 [TRACE] Meta.Backend: using already-initialized "s3" backend configuration
2024-08-19T16:58:55.265-0500 [TRACE] backend-s3.aws-base: Resolving AWS configuration: tf_backend.operation=Configure tf_backend.req_id=REDACTED tf_backend.s3.bucket=REDACTED tf_backend.s3.path=REDACTED
2024-08-19T16:58:55.265-0500 [DEBUG] backend-s3.aws-base: Resolving credentials provider: tf_backend.operation=Configure tf_backend.req_id=REDACTED tf_backend.s3.bucket=REDACTED tf_backend.s3.path=REDACTED
2024-08-19T16:58:55.265-0500 [TRACE] backend-s3.aws-base: Building default HTTP client: tf_backend.operation=Configure tf_backend.req_id=REDACTED tf_backend.s3.bucket=REDACTED tf_backend.s3.path=REDACTED
2024-08-19T16:58:55.265-0500 [DEBUG] backend-s3.aws-base: Setting profile: tf_backend.operation=Configure tf_backend.req_id=REDACTED tf_backend.s3.bucket=REDACTED tf_backend.s3.path=REDACTED tf_aws.profile=test tf_aws.profile.source=provider
2024-08-19T16:58:55.265-0500 [DEBUG] backend-s3.aws-base: Loading configuration: tf_backend.operation=Configure tf_backend.req_id=REDACTED tf_backend.s3.bucket=REDACTED tf_backend.s3.path=REDACTED
2024-08-19T16:58:55.277-0500 [DEBUG] backend-s3.aws-base: Retrieving credentials: tf_backend.operation=Configure tf_backend.req_id=REDACTED tf_backend.s3.bucket=REDACTED tf_backend.s3.path=REDACTED

The authentication prompts are surprising when opening VSCode, and its not 100% clear to the user that the auth prompts are originating from VSCode's terraform-ls versus any other process on the workstation.

If I don't complete the auth prompt, terraform-ls logs this:
2024/08/19 17:01:43 jobs.go:487: JOBS: Finishing job "4": "OpTypeObtainSchema" for {"file:///REDACTED"} (err = Execution of "ProviderSchemas" timed out after 30s, deferredJobs: [])

@Michagogo
Copy link
Author

Michagogo commented Aug 19, 2024 via email

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dbanck @rifelpet @Michagogo