Fix Terraform credential error

[JustinLex]

Was getting the following error from Github Actions on Terraform 1.9.3:

Run terraform init
  terraform init
  shell: /usr/bin/bash -e {0}
  env:
    CLOUDFLARE_API_TOKEN: 
    HCLOUD_TOKEN: 
    AWS_ACCESS_KEY_ID: 
    AWS_SECRET_ACCESS_KEY: 
    B2_APPLICATION_KEY_ID: 
    B2_APPLICATION_KEY: 
    TF_VAR_pw_hash: 
    TERRAFORM_CLI_PATH: /home/runner/work/_temp/1882a3f3-d275-4cb2-b48d-458cb6449c5e
/home/runner/work/_temp/1882a3f3-d275-4cb2-b48d-458cb6449c5e/terraform-bin init
Initializing the backend...
╷
│ Error: No valid credential sources found
│ 
│ Please see https://www.terraform.io/docs/language/settings/backends/s3.html
│ for more information about providing credentials.
│ 
│ Error: failed to refresh cached credentials, no EC2 IMDS role found,
│ operation error ec2imds: GetMetadata, access disabled to EC2 IMDS via
│ client option, or "AWS_EC2_METADATA_DISABLED" environment variable
│ 
╵
Error: Terraform exited with code 1.
Error: Process completed with exit code 1.

Reverting to last known working minor version.

[github-actions]

Terraform Lint/Plan Results

Terraform Format and Style 🖌success

Terraform Initialization ⚙️success

Terraform Plan 📖success

Terraform Validation 🤖success

Show Plan

terraform
tls_private_key.terraform_access: Refreshing state... [id=2ffac8d1a1e85232461425b441d27bce00a220c3]
tls_private_key.dkim-ed25519: Refreshing state... [id=68fff8299fe24966516127ec74f88c48a9825a3d]
hcloud_firewall.myfirewall: Refreshing state... [id=572118]
data.cloudflare_api_token_permission_groups.all: Reading...
cloudflare_record.spf-website: Refreshing state... [id=6996f2e9fb76eded73fa32bde6a4910f]
tls_private_key.dkim-rsa: Refreshing state... [id=1b2806ad50f04aac1c2d9b7ce7ba47f00ed31eb4]
cloudflare_zone_settings_override.tmeit-se-settings: Refreshing state... [id=6a806c0199e15cdf23bb3017a90bf149]
b2_bucket.db-backups: Refreshing state... [id=531125b9d9ad0bd484480d18]
b2_bucket.terraform-state: Refreshing state... [id=c33185c9297d9b5484380d18]
b2_bucket.tmeit-se-2011-dump: Refreshing state... [id=0351c5e9b99d1b0484480d18]
data.cloudflare_api_token_permission_groups.all: Read complete after 0s [id=f9c6cce7da3aafebce12628ecc8d922e]
cloudflare_record.spf: Refreshing state... [id=4d62468769e45285f7bff8f779a3608c]
hcloud_server.node1: Refreshing state... [id=25047988]
hcloud_rdns.node1_ipv4: Refreshing state... [id=s-25047988-65.21.188.62]
hcloud_rdns.node1_ipv6: Refreshing state... [id=s-25047988-2a01:4f9:c012:6063::1]
cloudflare_record.node1-a: Refreshing state... [id=9ef92757893c62ea5d1f59037eb0012a]
cloudflare_record.www-aaaa: Refreshing state... [id=9f7b0d63a18b5513abb8db23ce62cd46]
cloudflare_api_token.dns_validation_token: Refreshing state... [id=c8a740fd710299e7612975c93125667d]
cloudflare_record.node1-aaaa: Refreshing state... [id=2204e4ec36dbcc3a1e01f6799279a2f5]
cloudflare_record.root-aaaa: Refreshing state... [id=d357e52c5cacabec46933fa577fb0e88]
null_resource.run-ssh-install: Refreshing state... [id=7021398672407249957]
b2_application_key.database-backup: Refreshing state... [id=00331599db448d80000000004]

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
-/+ destroy and then create replacement

Terraform will perform the following actions:

  # null_resource.run-ssh-install must be replaced
-/+ resource "null_resource" "run-ssh-install" {
      ~ id       = "7021398672407249957" -> (known after apply)
      ~ triggers = { # forces replacement
          ~ "always_run" = "2024-02-07T17:39:07Z" -> (known after apply)
        }
    }

Plan: 1 to add, 0 to change, 1 to destroy.

─────────────────────────────────────────────────────────────────────────────

Note: You didn't use the -out option to save this plan, so Terraform can't
guarantee to take exactly these actions if you run "terraform apply" now.

Pushed by: @JustinLex, Action: pull_request

[github-actions]

Terraform Lint/Plan Results

Terraform Format and Style 🖌success

Terraform Initialization ⚙️success

Terraform Plan 📖success

Terraform Validation 🤖success

Show Plan

terraform
data.cloudflare_api_token_permission_groups.all: Reading...
cloudflare_record.spf-website: Refreshing state... [id=6996f2e9fb76eded73fa32bde6a4910f]
b2_bucket.terraform-state: Refreshing state... [id=c33185c9297d9b5484380d18]
tls_private_key.terraform_access: Refreshing state... [id=2ffac8d1a1e85232461425b441d27bce00a220c3]
tls_private_key.dkim-ed25519: Refreshing state... [id=68fff8299fe24966516127ec74f88c48a9825a3d]
b2_bucket.tmeit-se-2011-dump: Refreshing state... [id=0351c5e9b99d1b0484480d18]
tls_private_key.dkim-rsa: Refreshing state... [id=1b2806ad50f04aac1c2d9b7ce7ba47f00ed31eb4]
b2_bucket.db-backups: Refreshing state... [id=531125b9d9ad0bd484480d18]
cloudflare_zone_settings_override.tmeit-se-settings: Refreshing state... [id=6a806c0199e15cdf23bb3017a90bf149]
hcloud_firewall.myfirewall: Refreshing state... [id=572118]
data.cloudflare_api_token_permission_groups.all: Read complete after 0s [id=f9c6cce7da3aafebce12628ecc8d922e]
cloudflare_record.spf: Refreshing state... [id=4d62468769e45285f7bff8f779a3608c]
hcloud_server.node1: Refreshing state... [id=25047988]
null_resource.run-ssh-install: Refreshing state... [id=7021398672407249957]
cloudflare_record.node1-aaaa: Refreshing state... [id=2204e4ec36dbcc3a1e01f6799279a2f5]
cloudflare_record.www-aaaa: Refreshing state... [id=9f7b0d63a18b5513abb8db23ce62cd46]
cloudflare_record.root-aaaa: Refreshing state... [id=d357e52c5cacabec46933fa577fb0e88]
cloudflare_record.node1-a: Refreshing state... [id=9ef92757893c62ea5d1f59037eb0012a]
hcloud_rdns.node1_ipv6: Refreshing state... [id=s-25047988-2a01:4f9:c012:6063::1]
hcloud_rdns.node1_ipv4: Refreshing state... [id=s-25047988-65.21.188.62]
cloudflare_api_token.dns_validation_token: Refreshing state... [id=c8a740fd710299e7612975c93125667d]
b2_application_key.database-backup: Refreshing state... [id=00331599db448d80000000004]

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
-/+ destroy and then create replacement

Terraform will perform the following actions:

  # null_resource.run-ssh-install must be replaced
-/+ resource "null_resource" "run-ssh-install" {
      ~ id       = "7021398672407249957" -> (known after apply)
      ~ triggers = { # forces replacement
          ~ "always_run" = "2024-02-07T17:39:07Z" -> (known after apply)
        }
    }

Plan: 1 to add, 0 to change, 1 to destroy.

─────────────────────────────────────────────────────────────────────────────

Note: You didn't use the -out option to save this plan, so Terraform can't
guarantee to take exactly these actions if you run "terraform apply" now.

Pushed by: @JustinLex, Action: pull_request

[JustinLex]

I don't really know why this broke in the first place, the only breaking change I can see in the Terraform changelogs is that they changed the order in which AWS creds are loaded, but we don't have any other AWS creds?

Downgrading works at least. In the future, we'll probably just use some free-tier opentofu provider for this so we don't have to worry about Terraform breaking randomly.

[JustinLex]

Turns out the issue was that external PRs like #225 don't have access to our Github Actions secrets, which make the tests fail. This can be ignored for smaller PRs, but this means that bigger PRs that need thorough testing need to be submitted from the local repo, and cannot come from a fork.