Error when running a curl using local-exec

Hi all. I’m running into an error when I use the terraform_data resource to run a curl command.

Here’s the code:

resource "terraform_data" "verify" {
  provisioner "local-exec" {
    command = <<EOT
      curl -X GET -H "Authorization: Bearer ${data.google_client_config.default.access_token}" \
      -H "Content-Type:application/json" \
      "https://apigee.googleapis.com/v1/organizations/<redacted>:getSyncAuthorization"
    EOT
  }
}

data "google_client_config" "default" {
  provider = google
}

And here’s the error:

Error: Invalid template interpolation value
│ 
│   on curl.tf line 15, in resource "terraform_data" "verify":
│   14:     command = <<EOT
│   15:       curl -X GET -H "Authorization: ***" \
│   16:       -H "Content-Type:application/json" \
│   17:       "https://apigee.googleapis.com/v1/organizations/<redatcted>:getSyncAuthorization"
│   18:     EOT
│ 
│ The expression result is null. Cannot include a null value in a string
│ template.

The role used to run the terraform has the following permissions assigned to it:
iam.serviceAccounts.getAccessToken
iam.serviceAccounts.getOpenIdToken
iam.serviceAccounts.implicitDelegation
iam.serviceAccounts.signBlob
iam.serviceAccounts.signJwt

What am I missing?

Hi @djennings618,

I’m not familiar with this particular resource type, but I see that this string template only has one interpolation sequence, and it refers to data.google_client_config.default.access_token. Therefore this access_token attribute must be null.

The documentation for google_client_config doesn’t mention any situation where that attribute would be null, but I guess must be some detail of the underlying API the provider is calling, which might be described in GCP’s own documentation.

Since I think this question is ultimately one of why this attribute turned out to be null, and what to return is decided by the provider rather than by Terraform itself, I’m going to move this into the Google provider category, since there it’s more likely to find someone with GCP expertise.