Authentication signature from unknown issue when installing registry.opentofu.org/datadog/datadog v3.39.0 #3179
Comments
|
Thanks for filing @sombrerosheep! The team is going to take a look at this shortly. |
|
Hey @sombrerosheep , I'm sorry that was your experience when upgrading to a new version of Terragrunt. The error that you got did not clearly indicate what was happening, and we can take further action to make it easier to understand why this happened. The reason you received that error is that the authentication signature you currently have in your As of version v0.57.12 OpenTofu is the default tool Terragrunt uses when both Terraform and OpenTofu are installed on a system. To explicitly decide to have Terragrunt use Terraform going forward, you'll have to set terragrunt-tfpath explicitly. The simplest way to do that is with the environment variable TERRAGRUNT_TFPATH='terraform' terragrunt planIf you would like to fix your terragrunt init -upgradeThat will update the entries in your |
|
@yhakbar We are starting to see this on more repositories so I'd like to clarify the best way to resolve this issue and get things stable using Should removing Having never had this issue when using terraform, you can understand why were now cautious letting terragrunt use open-tofu. Once we are past the provider signature issue, if we wanted everything pointed back at terraform, we would need to:
Or would the two variables + a |
|
@yhakbar we also have another repository with this error. They are not committing a |
|
You should not need to set Either of:
Will ensure that Terragrunt uses Terraform instead of OpenTofu. In the repositories that are committing their lock files, as long as you haven't modified your lock files, you do not have to use If your state file is now tracking terragrunt state replace-provider 'registry.opentofu.org/datadog/datadog' 'registry.terraform.io/datadog/datadog' |
|
Thanks for the info! We are not using provider caching. When we run We had a successful run on June 3, and on June 4 started seeing this. The state had not been updated since May 26, 2024 which was bumping From May 26 until this began failing on June 3, we had 3 successful deployments; all involving application code, not infrastructure. Is there anything else we can do to get our application back to a stable state? |
|
@yhakbar We were finally able to get past this using the Now my question is whether or not we need to worry about this happening again? Is there any control we have for making sure that |
|
What might help you get to a stable state is to go to an empty directory and experiment with switching back and forth between Terraform and OpenTofu to see what it does to your lock file, and your state file. # ./empty-dir/terragrunt.hcl
generate "provider" {
path = "provider.tf"
if_exists = "overwrite"
contents = <<EOF
terraform {
required_providers {
datadog = {
source = "DataDog/datadog"
}
}
}
EOF
}
If you have both OpenTofu and Terragrunt installed on your system, and you run the following: TERRAGRUNT_TFPATH='tofu' terragrunt planYou'll see the following in your # This file is maintained automatically by "tofu init".
# Manual edits may be lost in future updates.
provider "registry.opentofu.org/datadog/datadog" {
version = "3.39.0"
hashes = [
# Some hashes
]
}
After that, run the following to see the error that you get: $ TERRAGRUNT_TFPATH='terraform' terragrunt plan
╷
│ Error: Inconsistent dependency lock file
│
│ The following dependency selections recorded in the lock file are
│ inconsistent with the current configuration:
│ - provider registry.terraform.io/datadog/datadog: required by this configuration but no version is selected
│
│ To update the locked dependency selections to match a changed
│ configuration, run:
│ terraform init -upgrade
╵Not an insurmountable problem! You can then run the following to explicitly change the provider listed in your lock file: $ TERRAGRUNT_TFPATH='terraform' terragrunt init -upgradeYou can see how your lock file changes as a consequence: # This file is maintained automatically by "terraform init".
# Manual edits may be lost in future updates.
provider "registry.terraform.io/datadog/datadog" {
version = "3.39.0"
hashes = [
# Some hashes
]
}Now, I don't have a DataDog account, so I can't test out a demo of the same thing, but for state, but I do have access to an AWS account, so I can show you that. # ./other-empty-dir/terragrunt.hcl
generate "provider" {
path = "provider.tf"
if_exists = "overwrite"
contents = <<EOF
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
}
}
}
EOF
}
generate "sts_get_caller_identity" {
path = "main.tf"
if_exists = "overwrite"
contents = <<EOF
data "aws_caller_identity" "current" {}
EOF
}Like before, run a $ TERRAGRUNT_TFPATH='tofu' terragrunt applyNotice what the # .terraform.lock.hcl
# This file is maintained automatically by "tofu init".
# Manual edits may be lost in future updates.
provider "registry.opentofu.org/hashicorp/aws" {
version = "5.52.0"
hashes = [
# Some hashes
]
}# cat terraform.tfstate
{
"version": 4,
"terraform_version": "1.7.1",
"serial": 5,
"lineage": "A UUID",
"outputs": {},
"resources": [
{
"mode": "data",
"type": "aws_caller_identity",
"name": "current",
"provider": "provider[\"registry.opentofu.org/hashicorp/aws\"]",
"instances": [
# Some instances
]
}
],
"check_results": null
}Similarly, trigger an error by switching to Terraform: $ TERRAGRUNT_TFPATH='terraform' terragrunt apply
╷
│ Error: Inconsistent dependency lock file
│
│ The following dependency selections recorded in the lock file are
│ inconsistent with the current configuration:
│ - provider registry.terraform.io/hashicorp/aws: required by this configuration but no version is selected
│
│ To update the locked dependency selections to match a changed
│ configuration, run:
│ terraform init -upgrade
╵
You'll notice up above, that the $ TERRAGRUNT_TFPATH='terraform' terragrunt state replace-provider 'registry.opentofu.org/hashicorp/aws' 'registry.terraform.io/hashicorp/aws'
Terraform will perform the following actions:
~ Updating provider:
- registry.opentofu.org/hashicorp/aws
+ registry.terraform.io/hashicorp/aws
Changing 1 resources:
data.aws_caller_identity.current
Do you want to make these changes?
Only 'yes' will be accepted to continue.
Enter a value: yes
Successfully replaced provider for 1 resources.
You'll also notice that the $ TERRAGRUNT_TFPATH='terraform' terragrunt init -upgradeTake a look at your If you want, you can even go the other way to prove to yourself that you can flip back and forth. After doing that experimentation, take a look at the lock and state files for the resources that are throwing errors. Are any of them in a configuration you don't expect? You use the same techniques you used here to repair them, and ensure that |
In addition to setting the environment variable I show above, and not having OpenTofu installed, you can also set the terraform_binary value in your |
Describe the bug
We have an application deployment using
terragruntwhich changed some providers to use the open-tofu registry; I'm not too thrilled that this is now the default especially with existing statefiles and may represent some confusion below as to what version we expected versus what we used. It seems this update happened a while ago but stopped working mid-last week. No updates toterragruntor ourterraformconfiguration had been made to provoke this; it seemed to have surfaced out of nowhere. The pull-request this was first seen in was for a NodeJS dependency update.The full error:
Per the referenced open-tofu issue, we were able to resolve this by manually migrating the provide back to the one located at
registry.terraform.iousing thetofu state replace-provider...command. Attempting to useterragruntorterraformwould result in errors fetching the provider with the error below.Steps To Reproduce
Expected behavior
A clear and concise description of what you expected to happen.
We had an existing state (from terragrunt). While performing dependency updates for application maintenance, our terraform-plan began to fail with the error:
Error while installing registry.opentofu.org/datadog/datadog v3.39.0: authentication signature from unknown issuerNice to haves
CI output
Versions
0.58.13peralpine/terragruntterraform 1.8.4but according to terragrunt0.58.13, tofu1.7.x?alpine/terragrunt:1.8.4Additional context
Carrying over from opentofu/registry#630 as recommended by the Open-Tofu team. Tagging @ZachGoldberg as requested!
The text was updated successfully, but these errors were encountered: