Description
Terraform Version
Terraform v1.3.9
on darwin_arm64
Terraform v1.4.0
on darwin_arm64Terraform Configuration Files
terraform {
backend "gcs" {
prefix = "tfstate/state"
bucket = "bucket"
encryption_key = ""
}
}Debug Output
na
Expected Behavior
Terraform 1.4.0 working like 1.3.9 did and the GOOGLE_ENCRYPTION_KEY being picked up like before
Actual Behavior
The GOOGLE_ENCRYPTION_KEY is ignored and the empty encryption_key has preference which results in the error:
# terraform init
Initializing the backend...
Error loading state: Failed to open state file at gs://guida-aws-production-tf/tfstate/guida-eks-dev-1/default.tfstate: googleapi: got HTTP response code 400 with body: <?xml version='1.0' encoding='UTF-8'?><Error><Code>ResourceIsEncryptedWithCustomerEncryptionKey</Code><Message>The resource is encrypted with a customer encryption key.</Message></Error>While this worked fine in 1.3.9
Steps to Reproduce
Setup thegcs backend with encryption_key = "" in the conf like above
1.3.9
- export GOOGLE_ENCRYPTION_KEY="key"
- terraform init
- works
1.4.0
- export GOOGLE_ENCRYPTION_KEY="key"
- terraform init
- encryption key error
Additional Context
Changes like this will lower the precedence of the env var: 469824c
In our case just removing the key was enough but it was a bit of a search why this broke since there is no mention in the CHANGELOG, just about some new features for the gcs backend.
I don't know if this is a documentation issue, I just wanted to raise some awareness for changes like this. A mention in the changelog about this would have been nice. It now got sneaked in with a mostly unrelated PR.