Netlify Terraform API Errors

Copying and pasting my attempted support ticket as I’m currently on the free plan

I’m setting my netlify ENV variables via your Terraform provider like so

  site_id = data.netlify_site.site.id
  team_id = data.netlify_team.team.id

  key = "next_public_youtube_playlist"
  secret_values = [
    for context in local.contexts : {
      value   = jsondecode(data.aws_secretsmanager_secret_version.latest.secret_string)["next_public_youtube_playlist"]
      context = context
    }
  ]
  scopes = local.scopes
}

locals {
  source_repo = lower(basename(path.cwd))
  contexts    = ["dev", "branch-deploy", "deploy-preview", "production"]
  # scopes      = ["builds", "functions", "runtime"]
}

Yet I get the following error if I don't include scopes.
Error: Error updating Netlify environment variable
│ 
│   with netlify_environment_variable.next_public_youtube_playlist,
│   on netlify_env.tf line 246, in resource "netlify_environment_variable" "next_public_youtube_playlist":
│  246: resource "netlify_environment_variable" "next_public_youtube_playlist" {
│ 
│ Could not update Netlify environment variable order ID "next_public_youtube_playlist" (team ID: "teamid", site ID:
│ "43fce32b-eca4-44e6-9af7-97d19a143a5d", secret: true): "422 Unprocessable Entity: {\"code\":422,\"message\":\"Secrets are not allowed to run in
│ 'post_processing' scopes.\"}"

Though If I include my scopes local I get this error
│ Error: Error updating Netlify environment variable
│ 
│   with netlify_environment_variable.next_public_youtube_playlist,
│   on netlify_env.tf line 132, in resource "netlify_environment_variable" "next_public_youtube_playlist":
│  132: resource "netlify_environment_variable" "next_public_youtube_playlist" {
│ 
│ Could not update Netlify environment variable order ID "NEXT_PUBLIC_YOUTUBE_PLAYLIST" (team ID: "teamid", site ID:
│ "43fce32b-eca4-44e6-9af7-97d19a143a5d", secret: false): "403 Forbidden: {\"code\":403,\"message\":\"Upgrade your Netlify account to set specific scopes\"}"

This only happens with secret values which I need otherwise my secrets are exposed on my TF plan.

This seems like an impossible API bug to get around.

Terraform Resource: Terraform Registry

I currently do not see a way around this limitation other than setting them manually in the console which eliminates CI/CD.

@Wesley_Kirkland The second error makes sense in isolation:

"403 Forbidden": {
  "code": 403,
  "message": "Upgrade your Netlify account to set specific scopes"
}

This is because the scopes feature of environment variables requires at minimum a Pro account.

Pricing Page

image1644×930 130 KB

Documentation

image938×151 17.6 KB

https://docs.netlify.com/environment-variables/overview/#scopes

The first error makes less sense to me:

 "422 Unprocessable Entity": {
  "code": "422",
  "message": "Secrets are not allowed to run in 'post_processing' scopes."
}

Since it’s not something you can administer with a Free/Starter plan you would hope they would avoid it themselves, but perhaps using what you’re working with is intended to push people onto a Pro plan.

Switching to a Pro plan seems like it’d make it work, and be the fastest way to keep moving, however I’m not sure that it should be necessary. @hrishikesh Do you have any insight?

@nathanmartin Thank you, I’m hoping that @hrishikesh can shine some light onto this. I agree that the second error makes perfect sense. Though the first error seems to be impossible to get around, and there isn’t much sense in a paid plan for me on this, as it’s a personal website that sees maybe 300 people a year. This is more of a fun project overall.