Hi @apparentlymart and @chrisarcand,
Thank you for your answers!
@apparentlymart I didn’t know that Terraform Cloud would provide a short-lived token, but it makes sense otherwise the workspace wouldn’t be able to download the private modules, providers, etc…
@chrisarcand I have some comments from your answer :
You don’t need remote state consumer access, no. The remote state consumer feature is to specifically control the implicit read access to all an organization’s states that the
terraform_remote_state data source utilizes (via the short-lived API token that Martin mentions).
Ok, that makes total sense
You should absolutely need to have an authorized token set to access a workspace’s outputs, though note that the token you’re using may have access by virtue of being an user token of an owner, someone with “Manage Workspaces” permission, etc. For more on how permissions work, see the documentation here.
I did some tests, and I can create a workspace A that exposes an output that a workspace B can access without any TFC token in the workspace configuration (like a TFE_TOKEN variable). During my tests, I used only the mode remote, but I agree that my current TFC token would give me access to the outputs with the local mode.
I created a gist with my test infra if you want to try to reproduce my tests: tfc_ouptputs vs terraform_remote_state · GitHub. If you execute it, you’ll notice that in workspace B, the null resource can display the output from workspace A without any custom TFE_TOKEN configured on the workspace. However, if I set the output from workspace A as sensitive, I run into this issue: Sensitive values is missing · Issue #449 · hashicorp/terraform-provider-tfe · GitHub (with or without the TFE_TOKEN configured on workspace B).
Thank again for your help!