Copying and pasting my attempted support ticket as I’m currently on the free plan
I’m setting my netlify ENV variables via your Terraform provider like so
site_id = data.netlify_site.site.id
team_id = data.netlify_team.team.id
key = "next_public_youtube_playlist"
secret_values = [
for context in local.contexts : {
value = jsondecode(data.aws_secretsmanager_secret_version.latest.secret_string)["next_public_youtube_playlist"]
context = context
}
]
scopes = local.scopes
}
locals {
source_repo = lower(basename(path.cwd))
contexts = ["dev", "branch-deploy", "deploy-preview", "production"]
# scopes = ["builds", "functions", "runtime"]
}
Yet I get the following error if I don't include scopes.
Error: Error updating Netlify environment variable
│
│ with netlify_environment_variable.next_public_youtube_playlist,
│ on netlify_env.tf line 246, in resource "netlify_environment_variable" "next_public_youtube_playlist":
│ 246: resource "netlify_environment_variable" "next_public_youtube_playlist" {
│
│ Could not update Netlify environment variable order ID "next_public_youtube_playlist" (team ID: "teamid", site ID:
│ "43fce32b-eca4-44e6-9af7-97d19a143a5d", secret: true): "422 Unprocessable Entity: {\"code\":422,\"message\":\"Secrets are not allowed to run in
│ 'post_processing' scopes.\"}"
Though If I include my scopes local I get this error
│ Error: Error updating Netlify environment variable
│
│ with netlify_environment_variable.next_public_youtube_playlist,
│ on netlify_env.tf line 132, in resource "netlify_environment_variable" "next_public_youtube_playlist":
│ 132: resource "netlify_environment_variable" "next_public_youtube_playlist" {
│
│ Could not update Netlify environment variable order ID "NEXT_PUBLIC_YOUTUBE_PLAYLIST" (team ID: "teamid", site ID:
│ "43fce32b-eca4-44e6-9af7-97d19a143a5d", secret: false): "403 Forbidden: {\"code\":403,\"message\":\"Upgrade your Netlify account to set specific scopes\"}"
This only happens with secret values which I need otherwise my secrets are exposed on my TF plan.
This seems like an impossible API bug to get around.
Terraform Resource: Terraform Registry
I currently do not see a way around this limitation other than setting them manually in the console which eliminates CI/CD.
@Wesley_Kirkland The second error makes sense in isolation:
"403 Forbidden": {
"code": 403,
"message": "Upgrade your Netlify account to set specific scopes"
}
This is because the scopes feature of environment variables requires at minimum a Pro account.
Pricing Page
https://www.netlify.com/pricing/
Documentation
https://docs.netlify.com/environment-variables/overview/#scopes
The first error makes less sense to me:
"422 Unprocessable Entity": {
"code": "422",
"message": "Secrets are not allowed to run in 'post_processing' scopes."
}
Since it’s not something you can administer with a Free/Starter plan you would hope they would avoid it themselves, but perhaps using what you’re working with is intended to push people onto a Pro plan.
Switching to a Pro plan seems like it’d make it work, and be the fastest way to keep moving, however I’m not sure that it should be necessary. @hrishikesh Do you have any insight?
@nathanmartin Thank you, I’m hoping that @hrishikesh can shine some light onto this. I agree that the second error makes perfect sense. Though the first error seems to be impossible to get around, and there isn’t much sense in a paid plan for me on this, as it’s a personal website that sees maybe 300 people a year. This is more of a fun project overall.
That’s interesting. Netlify UI is able to handle this well. As soon as you mark a variable as secret, it gets automatically removed from post processing.
UI before marking it as secret:
After marking it as secret:
The section is still disabled, but post-processing is also cancelled out. The API request payload is:
[
{
"key": "FOO",
"is_secret": true,
"scopes": [
"builds",
"functions",
"runtime"
],
"values": [
{
"context": "production",
"value": "BAR"
},
{
"context": "deploy-preview",
"value": "BAR"
},
{
"context": "branch-deploy",
"value": "BAR"
},
{
"context": "dev-server",
"value": "BAR"
},
{
"context": "dev",
"value": "BAR"
}
]
}
]
So the API itself is working. Could be a TF specific thing. Will have to investigate it more.
For now, I believe adding environment variable would be a one-time thing? Is it not possible to do it from UI?
I bypassed this in the end with a lifecycle ignore changes on scope so Terraform is ignoring this specific property on the API response.
The reason I didn’t do it explicitly from the UI is to accomplish full CI/CD for this project. You can see the code here as it’s public . The process flow is I update the secrets in AWS Secrets Manager, then upon a deployment if the value is different (According to the TF state file) it will update the Netlify variable through Terraform.
Okay, I’ve let the devs know, but the only one who works on this is off till Thursday and even after they return, I don’t know how quickly this will be picked up given that this is a super under-used feature at the moment.
1 Like
