Debugging Terraform - API response body is not listed at logs


Terraform v1.4.6
on linux_amd64

I have a problem with importing resources to terraform and trying to debug and resolve it.
I’ve set the env var TF_LOG=TRACE and when I run terraform import command I see in logs only REQUEST and RESPONSE headers, but I don’t see response body with particular error description.

[DEBUG] Vault API Request Details:
---[ REQUEST ]---------------------------------------
GET /v1/identity/group/id/ac267046-69cc-647f-2761-f94e745146d0 HTTP/1.1
User-Agent: Go-http-client/1.1
X-Vault-Namespace: aaa
X-Vault-Request: true
Accept-Encoding: gzip

[DEBUG] Vault API Response Details:
---[ RESPONSE ]--------------------------------------
HTTP/2.0 403 Forbidden
Content-Length: 60
Cache-Control: no-store
Content-Type: application/json
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Vault-Namespace: aaa

If I’m using curl for such request I see the error message in response body which helped me to resolve the issue. But in TF logs there is no API response body, only one thing I can see is response code.
I googled about it but with no success.
Maybe someone had the same issue and resolved it?
Thanks in advance.

What individual providers log, is up to the individual provider.

In this case, that would be terraform-provider-vault.

It would be necessary to dig through the source code to confirm, but I wouldn’t be surprised if it just chooses never to log the body.

In any case, 403 Forbidden is fairly indicative even without additional information.

1 Like

Thanks @maxb, you suggested me the right way to dig :slight_smile:
Answering on my own question :man_facepalming: :laughing:
Provider Debugging
Terraform supports various logging options by default. These are documented here.

The environment variables below can be configured to provide extended log output. The Terraform log level must be set to DEBUG or higher. It’s important to note that any extended log output may reveal secrets, so please exercise caution when enabling any of the following:

TERRAFORM_VAULT_LOG_BODY - when set to true both the request and response body will be logged.
TERRAFORM_VAULT_LOG_REQUEST_BODY - when set to true the request body will be logged.
TERRAFORM_VAULT_LOG_RESPONSE_BODY - when set to true the response body will be logged.

Link → Docs overview | hashicorp/vault | Terraform Registry

Thread could be closed