I have Terraform part of my CI/CD pipeline - we segregate the plan stage from the apply stage, with the output of the plan stage (terraform plan -out plan.tfplan) as the input to the apply stage.
This works great – if the backend and providers use credentials that is consistent between the stages. It appears that if each job in the pipeline has different credentials (because they are ephemeral and specific to that job), the plan includes the credentials and when applying – despite
terraform init -reconfigure with the new job credentials – the credentials in the plan are used, resulting in a 401 from my HTTP backend.
I could probably work around this problem by writing fancy scripts that check that plans match, except the backend configuration – but I’m wondering if there’s a better way to accomplish this, or if the behaviour is expected (it definitely was not to me, despite having used Terraform for quite a while now.)
If necessary – I’m on Terraform 0.12.29.