Workload Identity Federation with TFC_WORKLOAD_IDENTITY_TOKEN fails

[kgibson-insight]

Terraform Version and Provider Version

Terraform version: v1.7.4
HCP provider version: 0.84.1

Affected Resource(s)

• hcp_iam_workload_identity_provider

Terraform Configuration Files

terraform {
  cloud {
    organization = "my-org"
    hostname = "app.terraform.io" # Optional; defaults to app.terraform.io

    workspaces {
      name = "qt-poc-hcp-org"
    }
  }

  required_providers {
    hcp = {
      source  = "hashicorp/hcp"
      version = "~> 0.84.1"
    }
    environment = {
      source  = "EppO/environment"
      version = "~>1.0"
    }
  }
}


custom module, builds workspace vars
  tfc_workspace_variables = {
    "TFC_WORKLOAD_IDENTITY_AUDIENCE" = {
      value       = "qt-poc-tfc"
      category    = "env"
      description = "Terraform Cloud Workload Identity Token"
    }
  }

data "environment_variables" "all" {}

provider "hcp" {
  # client_id        = var.hcp_client_id
  # client_secret    = var.hcp_client_secret
  # project_id = "my-hcp-project-id"
  workload_identity {
    resource_name = "iam/project/my-hcp-project-id/service-principal/qt-poc-sp/workload-identity-provider/qt-poc-tfc"
    token_file = data.environment_variables.all.items["TFC_WORKLOAD_IDENTITY_TOKEN"]
  }
}

resource "hcp_service_principal" "qt_poc" {
  name   = "qt-poc-sp"
  parent = hcp_project.qt_poc.resource_name
}

resource "hcp_project_iam_binding" "qt_poc" {
  project_id   = hcp_project.qt_poc.resource_id
  principal_id = hcp_service_principal.qt_poc.resource_id
  role         = "roles/admin"
}

resource "hcp_iam_workload_identity_provider" "qt_poc_tfc" {
  name              = "qt-poc-tfc"
  service_principal = hcp_service_principal.qt_poc.resource_name
  description       = "Allow Terraform Cloud runs to authenticate as service principal"

  oidc = {
    issuer_uri        = "https://app.terraform.io"  // This is an example; the actual issuer URI may vary
    allowed_audiences = ["qt-poc-tfc"] 
  }

  // Example conditional access policy - adjust according to your security requirements
  conditional_access = "jwt_claims.sub == `organization:${local.tfc_organization}:project:${local.tfc_project}:workspace:*:run_phase:*`"
}

Debug Output

I'm posting this bug report because HCP WIF appears to be half baked. Unless I'm completely mistaken, there isn't any way to view this configuration in HCP console? Which make it very difficult to troubleshoot and debug having to switch between cloud and local state.

There are plenty of examples of configuring cloud providers here https://registry.terraform.io/providers/hashicorp/hcp/latest/docs/resources/iam_workload_identity_provider

But why not include Terraform Cloud? I've posted my attempt to reference the TFC workspace token and terraform outputs the token

╷
│ Error: unable to create HCP api client: no valid credentials available: failed to get new token: failed to open credential file "eymyjwt"
│
│ with provider["registry.terraform.io/hashicorp/hcp"],
│ on providers.tf line 3, in provider "hcp":
│ 3: provider "hcp" {
│
╵
Operation failed: failed running terraform plan (exit 1)

and I can confirm the audience and subjects match as configured. But I can't seem to understand how the TFC token isn't being accepted by HCP?