Can't provision artifactory_permission_target resources

[carlitos081]

Describe the bug
A clear and concise description of what the bug is.

Requirements for and issue

• A description of the bug
• A fully functioning terraform snippet that can be copy&pasted (no outside files or ENV vars unless that's part of the issue). If this is not supplied, this issue will likely be closed without any effort expended.
• Your version of artifactory (you can curl it at $host/artifactory/api/system/version
• Your version of terraform
• Your version of terraform provider

Expected behavior
A clear and concise description of what you expected to happen.

Additional context
Add any other context about the problem here.

I have an issue creating artifactory_permission_target :

Initializing the backend...

Initializing provider plugins...
- Reusing previous version of jfrog/artifactory from the dependency lock file
- Reusing previous version of hashicorp/google-beta from the dependency lock file
- Reusing previous version of hashicorp/google from the dependency lock file
- Using previously-installed jfrog/artifactory v8.9.1
- Using previously-installed hashicorp/google-beta v4.72.0
- Using previously-installed hashicorp/google v5.10.0

Terraform has been successfully initialized!

You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.

If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.
data.google_service_account_access_token.default: Reading...
data.google_service_account_access_token.default: Read complete after 1s [id=projects/-/serviceAccounts/sa-tier2-ambt-art-cicd-prod@wd-ambt-art-cicd-prod.iam.gserviceaccount.com]
╷
│ Error: Invalid provider configuration
│ 
│ Provider "registry.terraform.io/jfrog/artifactory" requires explicit
│ configuration. Add a provider block to the root module and configure the
│ provider's required arguments as described in the provider documentation.
│ 
╵
╷
│ Error: Missing URL Configuration
│ 
│   with provider["registry.terraform.io/jfrog/artifactory"],
│   on <empty> line 0:
│   (source code not available)
│ 
│ While configuring the provider, the url was not found in the
│ JFROG_URL/ARTIFACTORY_URL environment variables or provider configuration
│ block url attribute.
╵

This my main.tf:

resource "artifactory_permission_target" "artifactory-prod-publish" {
  name = "artifactory.prod.publish"
  repo {
    repositories = [
      "generic-eksa-images-dev"
    ]
    includes_pattern = ["**/*"]

    actions {
      users {
        name        = "test.test"
        permissions = ["read"]
      }
    }
  }
}

My providers.tf

 provider "google" {
   alias = "impersonation"
   scopes = [
     "https://www.googleapis.com/auth/cloud-platform",
     "https://www.googleapis.com/auth/userinfo.email",
   ]
  }

  data "google_service_account_access_token" "default" {
   provider               	= google.impersonation
   target_service_account 	= "sa-tier2-ambt-art-cicd-prod@wd-ambt-art-cicd-prod.iam.gserviceaccount.com"
   scopes                 	= ["userinfo-email", "cloud-platform"]
   lifetime               	= "1200s"
  }

  provider "google" {
    access_token	= data.google_service_account_access_token.default.access_token
    project         = "wd-ambt-art-cicd-prod"
    region          = "us-west1"
    zone            = "us-west1-a"
  }

  # Configure the Artifactory provider
  provider "artifactory" {
    alias = "test_instance"
    url           = "https://artifactory-aws.test.com/artifactory"
    access_token  = file("~/.artifactory-test-token")

  }

Artifactory EnterpriseX license 7.55.6 rev
terraform jfrog provider 8.9.1
Terraform v1.5.7
terragrunt v0.45.5

expected behaviour will be seeing it working like it works if I replace ONLY the content of the main.tf file, proving that the provider configuration works, with the following

resource "artifactory_access_token" "audience" {
  provider          = artifactory.test_instance
  for_each          = var.service_accounts
  username          = each.key
  groups            = ["readers"]
  refreshable       = true
  end_date_relative = "9600h"
  audience          = "jfrt@*"
}

result:

Initializing the backend...

Initializing provider plugins...
- Reusing previous version of hashicorp/google from the dependency lock file
- Reusing previous version of hashicorp/google-beta from the dependency lock file
- Reusing previous version of jfrog/artifactory from the dependency lock file
- Using previously-installed hashicorp/google v5.10.0
- Using previously-installed hashicorp/google-beta v4.72.0
- Using previously-installed jfrog/artifactory v8.9.1

Terraform has been successfully initialized!

You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.

If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.
data.google_service_account_access_token.default: Reading...
data.google_service_account_access_token.default: Read complete after 0s [id=projects/-/serviceAccounts/sa-tier2-ambt-art-cicd-prod@wd-ambt-art-cicd-prod.iam.gserviceaccount.com]

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # artifactory_access_token.audience will be created
  + resource "artifactory_access_token" "audience" {
      + access_token      = (sensitive value)
      + audience          = "jfrt@*"
      + end_date          = (known after apply)
      + end_date_relative = "9600h"
      + groups            = [
          + "readers",
        ]
      + id                = (known after apply)
      + refresh_token     = (sensitive value)
      + refreshable       = true
      + username          = "test-service-account"
    }

Plan: 1 to add, 0 to change, 0 to destroy.
╷
│ Warning: Deprecated Resource
│ 
│   with artifactory_access_token.audience,
│   on main.tf line 56, in resource "artifactory_access_token" "audience":
│   56: resource "artifactory_access_token" "audience" {
│ 
│ This resource is being deprecated and replaced by artifactory_scoped_token
│ 
│ (and one more similar warning elsewhere)
╵

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

artifactory_access_token.audience: Creating...
artifactory_access_token.audience: Creation complete after 1s [id=2281827007]
╷
│ Warning: Deprecated Resource
│ 
│   with artifactory_access_token.audience,
│   on main.tf line 56, in resource "artifactory_access_token" "audience":
│   56: resource "artifactory_access_token" "audience" {
│ 
│ This resource is being deprecated and replaced by artifactory_scoped_token
╵
Releasing state lock. This may take a few moments...

Apply complete! Resources: 1 added, 0 changed, 0 destroyed.

[alexhung]

@carlitos081 Looks like you are using 2 separate .tf files? terraform cli will process all .tf files in the root directory/module and since your main.tf is alphabetically comes before provider.tf, that is the file TF used in your example processes first and looks for provider configuration.

You can:

• rename the file with provider configuration so that it is always the first file TF will process (e.g. prefix with _)
• use TF modules to split your configuration into multiple files for better organization.

[carlitos081]

Hi @alexhung not sure I follow, I'm using terraform from years and never had to do or heard about alphabetical order for tf file, can you elaborate?

If I use same file main.tf and provider.tf it works if in the main.tf I have this content:

resource "artifactory_access_token" "audience" {
  provider          = artifactory.test_instance
  for_each          = var.service_accounts
  username          = each.key
  groups            = ["readers"]
  refreshable       = true
  end_date_relative = "9600h"
  audience          = "jfrt@*"
}

but it doesn't if I replace it with this content:

resource "artifactory_permission_target" "artifactory-prod-publish" {
  name = "artifactory.prod.publish"
  repo {
    repositories = [
      "generic-eksa-images-dev"
    ]
    includes_pattern = ["**/*"]

    actions {
      users {
        name        = "grahame.connolly"
        permissions = ["read"]
      }
    }
  }
}

and it works without changing name around? Thanks

[alexhung]

@carlitos081 This is the error message that I was responding to:

╷
│ Error: Invalid provider configuration
│ 
│ Provider "registry.terraform.io/jfrog/artifactory" requires explicit
│ configuration. Add a provider block to the root module and configure the
│ provider's required arguments as described in the provider documentation.
│ 
╵
╷
│ Error: Missing URL Configuration
│ 
│   with provider["registry.terraform.io/jfrog/artifactory"],
│   on <empty> line 0:
│   (source code not available)
│ 
│ While configuring the provider, the url was not found in the
│ JFROG_URL/ARTIFACTORY_URL environment variables or provider configuration
│ block url attribute.
╵

Is this the only error message you get?

I don't know why swapping resources will make it work.

[alexhung]

@carlitos081 Ah, I just noticed that in your provider configuration you use alias attribute.

However in your artifactory_permission_target resource you did not include provider = artifactory.test_instance attribute, so TF is looking for artifactory provider which is not defined.

[carlitos081]

Yes! Thanks @alexhung, that was the issue, so silly from my side, Thanks a mill!!!!