Provider opentofu/aws ignores configuration block, leading to instance profile being used

[dhs-rec]

Thank you for reporting an issue.

Hi,

I tried to replace hashicorp/aws with opentofu/aws and it get's installed fine using tofu init -reconfigure, but when I run tofu plan afterwards I get lots of errors of the form

Error: reading ECR Repository (XXX): operation error ECR: DescribeRepositories, https response error StatusCode: 400, RequestID: xxxxxxxxxxxx-40a8-4cd6-ab84-fb2ec3908d59, api error AccessDeniedException: User: arn:aws:sts::xxxxxxxxxxxx:assumed-role/role_name/i-1234567890 is not authorized to perform: ecr:DescribeRepositories on resource: arn:aws:ecr:eu-central-1:xxxxxxxxxxxx:repository/XXX because no identity-based policy allows the ecr:DescribeRepositories action

which works just fine with the hashicorp/aws provider (using the same version for both: 5.78.0).

OpenTofu Version

% tofu --version             
OpenTofu v1.8.6
on linux_amd64
+ provider registry.opentofu.org/hashicorp/aws v5.78.0
+ provider registry.opentofu.org/opentofu/aws v5.78.0

OpenTofu Configuration Files

data "terraform_remote_state" "vpc" {
  backend = "s3"
  config  = {
    bucket  = var.s3_terraform_bucket
    key     = "terraform.tfstate"
    profile = var.profile
    region  = var.region
  }
}

provider "aws" {
  ##### These seem to be ignored by opentofu/aws #####
  profile = var.profile
  region  = var.region
}

# Setup DynamoDB table for locking
resource "aws_dynamodb_table" "terraform_lock" {
  attribute {
    name = "LockID"
    type = "S"
  }
  billing_mode = "PAY_PER_REQUEST"
  hash_key     = "LockID"
  name         = var.dynamodb_terraform_table
  tags         = {
  }
}

# Setup S3 bucket for storing the state
resource "aws_s3_bucket" "terraform_state" {
  bucket = var.s3_terraform_bucket
  tags   = {
  }
}

resource "aws_s3_bucket_server_side_encryption_configuration" "terraform_state" {
  bucket = aws_s3_bucket.terraform_state.id
  rule {
    apply_server_side_encryption_by_default {
      sse_algorithm = "AES256"
    }
  }
}

resource "aws_s3_bucket_versioning" "terraform_state" {
  bucket = aws_s3_bucket.terraform_state.id
  versioning_configuration {
    status = "Enabled"
  }
}

# Configure Terraform
terraform {
  backend "s3" {
    bucket         = var.s3_terraform_bucket
    dynamodb_table = var.dynamodb_terraform_table
    encrypt        = true
    key            = "terraform.tfstate"
    profile        = var.profile
    region         = var.region
  }

  # Declare external modules
  required_providers {
    aws = {
      source  = "hashicorp/aws"   # WORKS
      #source  = "opentofu/aws"   # DOESN'T WORK
      version = "5.78.0"
    }
  }
}

[abstractionfactory]

Hi @dhs-rec it looks like you tried using both the OpenTofu and the HashiCorp namespace, which lead to a mixup. Using the OpenTofu namespace for the providers we are mirroring from HashiCorp is not advisable. Can you please check your state file for references to the OpenTofu namespace?

[dhs-rec]

Hi @dhs-rec it looks like you tried using both the OpenTofu and the HashiCorp namespace, which lead to a mixup.

Yes, that's what I'm doing. I'm trying to replace one with the other, that's why I currently have both installed (I also can't seem to find a way to uninstall the hashicorp one).

Using the OpenTofu namespace for the providers we are mirroring from HashiCorp is not advisable.

Hmm, ok. Why do they exist as opentofu/..., then?

Can you please check your state file for references to the OpenTofu namespace?

Not sure how I would do that.

Anyway, if it's not advisable to use opentofu/aws at all, it might be better not to switch, right? In this case, this should at least be documented somewhere, I guess...

[abstractionfactory]

@dhs-rec you are correct, I opened #1345 to warn people about using the opentofu/ namespace. Does this address your issue or do you need further help?

[dhs-rec]

Sure, that's fine. Thanks a lot.