R2 Backend Environment Variable References

[soudaburger]

Confirmation

• This is a bug with an existing resource and is not a feature request or enhancement. Feature requests should be submitted with Cloudflare Support or your account team.
• I have searched the issue tracker and my issue isn't already found.
• I have replicated my issue using the latest version of the provider and it is still present.

Terraform and Cloudflare provider version

╰─ terraform version
Terraform v1.10.3
on darwin_arm64

Affected resource(s)

backend

Terraform configuration files

terraform {
  backend "s3" {
    bucket                      = "terraform-state"
    key                         = "terraform.tfstate"
    region                      = "auto"
    skip_credentials_validation = true
    skip_metadata_api_check     = true
    skip_region_validation      = true
    skip_requesting_account_id  = true
    skip_s3_checksum            = true
    use_path_style              = true
    access_key                  = "blah"
    secret_key                  = "blah"
    endpoints                   = "blah"
}

Link to debug output

https://gist.github.com/soudaburger/7af5dd12d8155b2716c18a994f3044ce

Panic output

No response

Expected output

Basically, if you don't specify access_key and secret_key in the backend reference, I appear to get a "no valid credential sources found" error. I expect to be able to set the proper env vars to get this to work without specifying the access_key and secret_key so I don't have to hardcode credentials in plaintext.

Actual output

Initializing the backend...
Initializing modules...

• cloudflare in ../../../modules/cloudflare
  ╷
  │ Error: No valid credential sources found
  │
  │ Please see https://www.terraform.io/docs/language/settings/backends/s3.html
  │ for more information about providing credentials.
  │
  │ Error: failed to refresh cached credentials, no EC2 IMDS role found,
  │ operation error ec2imds: GetMetadata, access disabled to EC2 IMDS via
  │ client option, or "AWS_EC2_METADATA_DISABLED" environment variable

Steps to reproduce

Using export TF_VAR_R2_ACCESS_KEY_ID and export TF_VAR_R2_SECRET_ACCESS_KEY in a .env before the tf command is called. I use 1Password to store my credentials and the OP binary and op reads the .env before the op binary is called.

Then you can run tf init with the access_key and secret_key set. TF works.
Removing those two fields throws that missing credential error.

Additional factoids

What are the proper/expected environment variables I should be using to get it to work? The documentation for what exactly the R2 environment variables should be, especially with relation to the TF backend, seems extremely sparse or nonexistent.

I am certain this is either unsupported (environment variables for secret/access keys) or it's simply the wrong environment variables. I'm just trying to confirm what I'm supposed to be using to validate my assumptions.

References

No response

[github-actions]

Terraform debug log detected ✅

[github-actions]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[jacobbednarz]

https://developers.cloudflare.com/terraform/advanced-topics/remote-backend/

[soudaburger]

Why did this get closed? Those documents don't call out how to use environment variables? Those documents don't explain how to actually solve what I'm trying to accomplish. I've read those docs. They aren't very complete.

[jacobbednarz]

the S3 backend is nothing to do with the Cloudflare provider. even if you're using a S3 compatible source such as R2, we have no bearing over how that operates in the core tooling provided by Terraform itself. the documentation outlines how to use it for R2 however if you have issues, you need to chat with Terraform core itself. that documentation is the extent of what is provided and known to work today.