Terraform auth not working when adding resources

Question

I wanted to try out terraform on our OpenStack environment. I tried to set it up and it seems to work when only the following is defined:

provider "openstack" {
  user_name   = "test"
  tenant_name = "test"
  password    = "testpassword"
  auth_url    = "https://test:5000/v3/"
  region      = "test"
}

I can run terraform plan without any problem it says:

No changes. Infrastructure is up-to-date. This means that Terraform did not detect any differences between your configuration and real physical resources that exist. As a result, no actions need to be performed.

When i try to add a resource:

resource "openstack_compute_instance_v2" "test" {
  name            = "test_server"
  image_id        = "test_id123"
  flavor_id       = "3"
  key_pair        = "test"
  security_groups = ["default"]

  network {
    name = "Default Network"
  }
}

When i run terraform plan i now get

Error: Error running plan: 1 error(s) occurred: provider.openstack: Authentication failed

Answer 1

The authentication is working. Something in your provider section is incorrect.

Terraform does not verify the provider information when there is no resource using it.

I validated your findings, and then took it a step farther. I created two providers, one for AWS and one for OpenStack using your example. I then added a resource to create an AWS VPC. My AWS credentials were correct. When I ran terraform plan it returned the action plan for building the VPC. It did not check the fake OpenStack credentials.

One other thing, once there is a resource for a provider it always uses the credentials even if there is nothing to do.

provider "aws" {
  access_key = "<redacted>"
  secret_key = "<redacted>"
  region     = "us-east-1"
}

provider "openstack" {
  user_name   = "test"
  tenant_name = "test"
  password    = "testpassword"
  auth_url    = "https://test:5000/v3/"
  region      = "test"
}


/* Create VPC */
resource "aws_vpc" "default" {
  cidr_block    = "10.200.0.0/16"
  enable_dns_support = true
  enable_dns_hostnames = true
  tags {
    Name = "testing"
  }
}

Produced the following output verifying the OpenStack provider wasn't checked:

$ terraform plan
Refreshing Terraform state in-memory prior to plan...
The refreshed state will be used to calculate this plan, but will not be
persisted to local or remote state storage.


------------------------------------------------------------------------

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  + aws_vpc.default
      id:                               <computed>
      arn:                              <computed>
      assign_generated_ipv6_cidr_block: "false"
      cidr_block:                       "10.200.0.0/16"
      default_network_acl_id:           <computed>
      default_route_table_id:           <computed>
      default_security_group_id:        <computed>
      dhcp_options_id:                  <computed>
      enable_classiclink:               <computed>
      enable_classiclink_dns_support:   <computed>
      enable_dns_hostnames:             "true"
      enable_dns_support:               "true"
provider "aws" {
      instance_tenancy:                 "default"
      ipv6_association_id:              <computed>
      ipv6_cidr_block:                  <computed>
      main_route_table_id:              <computed>
      tags.%:                           "1"
      tags.Name:                        "testing"


Plan: 1 to add, 0 to change, 0 to destroy.

------------------------------------------------------------------------

Note: You didn't specify an "-out" parameter to save this plan, so Terraform
can't guarantee that exactly these actions will be performed if
"terraform apply" is subsequently run.