-
Notifications
You must be signed in to change notification settings - Fork 12
Open
Description
Bug Summary: Infisical Terraform Provider Fails with Secret References
Issue Description
The Infisical Terraform provider's ephemeral block fails to retrieve secrets when the target environment uses variable references (like ${common.AWS_ACCESS_KEY_ID}) instead of direct secret values.
Steps to Reproduce
-
Working Configuration:
ephemeral "infisical_secret" "aws_access_key_id" { name = "AWS_ACCESS_KEY_ID" env_slug = "infra" workspace_id = data.infisical_projects.platform.id folder_path = "/" }
Where
k8s-infraenvironment hasAWS_ACCESS_KEY_IDset to a direct value (e.g.,foobarkey...) -
Failing Configuration:
Same Terraform code, but wherek8s-infraenvironment hasAWS_ACCESS_KEY_IDset to a variable reference (e.g.,${common.AWS_ACCESS_KEY_ID})
Infisical Project Structure
Project: test-project
├── Environment: common
│ └── AWS_ACCESS_KEY_ID: "foobarkey..." (direct value)
└── Environment: infra
└── AWS_ACCESS_KEY_ID: "${common.AWS_ACCESS_KEY_ID}" (variable reference)
Expected Behavior
The ephemeral block should resolve the variable reference and retrieve the actual secret value from the referenced environment (common).
Actual Behavior
- Error:
InvalidClientTokenId: The security token included in the request is invalid - Root Cause: The provider retrieves the literal string
${common.AWS_ACCESS_KEY_ID}instead of resolving it to the actual AWS access key value
Workaround
Manually copy the secret value from the source environment (common) to the target environment (infra) instead of using variable references.
Environment Details
- Provider:
infisical/infisicalversion~> 0.15 - Terraform Version:
>= 1.12
Reactions are currently unavailable
Metadata
Metadata
Assignees
Labels
No labels