hcl Errors
41 error patterns
HashiCorp Vault permission denied
vault.*Error making API request.*permission denied
- •Check Vault policy attached to the token/role allows the operation
- •Verify token hasn't expired: vault token lookup
HashiCorp Vault seal/unseal error
vault.*Error.*seal/unseal.*barrier
- •Provide required number of unseal keys (quorum)
- •Check auto-unseal KMS key is accessible
Vault dynamic secret lease expired
vault.*Error:.*secret.*lease.*expired
- •Implement lease renewal before expiry in application
- •Increase default_lease_ttl and max_lease_ttl on the secret engine
Vault token has been revoked
vault.*Error:.*token.*revoked
- •Generate a new token with vault token create
- •Check if parent token was revoked (cascading revocation)
Vault storage backend initialization error
vault.*Error initializing storage.*backend
- •Verify storage backend (Consul/Raft/S3) is accessible
- •Check storage configuration in vault.hcl
Vault AppRole SecretID not found or expired
vault.*Error:.*AppRole.*SecretID.*not found
- •Generate new SecretID: vault write auth/approle/role/<name>/secret-id
- •Check secret_id_ttl hasn't expired
Vault requested TTL exceeds max_ttl
vault.*Error:.*max_ttl.*less than.*requested ttl
- •Increase max_ttl on the auth method or secrets engine mount
- •Request a TTL within the allowed max_ttl limit
Terraform for_each Invalid Argument Type
terraform.*Error:.*Invalid for_each argument.*must.*map.*set
- •Convert list to set: toset(var.list)
- •Use map with unique keys for for_each
Terraform for_each Depends on Unknown Value
terraform.*for_each.*depends on resource attributes.*cannot.*determined
- •Move dynamic values to variables or data sources
- •Use count if value depends on resource output
Terraform Dynamic Block Attribute Error
terraform.*Error:.*Unsupported attribute.*dynamic.*block
- •Use content { } inside dynamic block, not direct attributes
- •Check nested block name matches resource schema
Terraform Provider Configuration Not Found
terraform.*Error:.*Provider configuration.*not present
- •Add required provider block in terraform { required_providers {} }
- •Check provider alias matches resource provider attribute
Terraform Backend Configuration Changed
terraform.*Error:.*Backend configuration changed
- •Run terraform init -migrate-state to migrate
- •Use terraform init -reconfigure to reinitialize
Terraform Workspace Does Not Exist
terraform.*Error:.*workspace.*does not exist
- •Create workspace: terraform workspace new <name>
- •List available workspaces: terraform workspace list
Terraform Dependency Cycle
terraform.*Error:.*Cycle.*in.*dependency.*graph
- •Remove circular depends_on references
- •Use data source instead of direct resource reference
Terraform Count and for_each Conflict
terraform.*Error:.*count.*for_each.*cannot.*both
- •Use only one: count OR for_each on a resource
- •Convert count-based resource to for_each with index map
Terraform State Lock Already Held
terraform.*Error:.*state.*lock.*already.*held
- •Wait for other operation to complete
- •Force unlock: terraform force-unlock <LOCK_ID>
Terraform Resource Already Exists (Import Needed)
terraform.*Error:.*Resource.*already.*exists.*import
- •Import existing resource: terraform import <addr> <id>
- •Use import block in Terraform 1.5+
Terraform Provider Inconsistent Result
terraform.*Error:.*Provider.*produced inconsistent result
- •Report bug to provider - resource schema mismatch
- •Add lifecycle { ignore_changes = [...] } for flapping attrs
Terraform Module Not Installed
terraform.*Error:.*Module.*not installed.*terraform init
- •Run terraform init to download modules
- •Check module source path/URL is correct
Terraform Variables Not Allowed in Backend Config
terraform.*Error:.*Variables.*not allowed.*in.*backend
- •Use -backend-config flag: terraform init -backend-config='key=value'
- •Create backend.hcl partial config file
Terraform Moved Block Original Not Found
terraform.*Error:.*moved.*block.*original.*not.*found
- •Verify 'from' address matches current state exactly
- •Run terraform state list to check resource addresses
Terraform Null Value Attribute Access
terraform.*Error:.*Attempt to get attribute.*null.*value
- •Add null check: var.x != null ? var.x.attr : default
- •Use try() function: try(var.x.attr, 'default')
Terraform Count Depends on Resource Attribute
terraform.*Error:.*Invalid count argument.*depends.*resource
- •Use a variable or local for count value instead
- •Move count dependency to a data source with depends_on
Terraform Sensitive Value in for_each
terraform.*Error:.*sensitive.*value.*cannot.*be used.*for_each
- •Use nonsensitive() to unwrap if value is safe to expose
- •Restructure to avoid sensitive values as map keys
Terraform Provider Version Constraint Error
terraform.*Error:.*Provider.*version.*constraint
- •Update version constraint in required_providers block
- •Run terraform init -upgrade to get latest compatible
Terraform Data Source Depends on Uncreated Resource
terraform.*Error:.*data\..*depends.*resource.*not yet created
- •Add depends_on = [resource] to data source
- •Use resource output directly instead of data source
Terraform Output References Destroyed Resource
terraform.*Error:.*output.*references.*destroyed.*resource
- •Remove output that references destroyed resource
- •Update output to reference replacement resource
Terraform S3 Backend Access Denied
terraform.*Error:.*S3.*backend.*access denied
- •Check IAM permissions for s3:GetObject, s3:PutObject on state bucket
- •Verify DynamoDB permissions for state locking table
Terraform Plan Contains Unexpected Destroy
terraform.*Error:.*plan.*contains.*destroy.*actions
- •Check for resource address changes (rename triggers replace)
- •Use lifecycle { prevent_destroy = true } for critical resources
Terraform Provider Registry Unreachable
terraform.*Error:.*Provider.*registry.*unreachable
- •Check network connectivity to registry.terraform.io
- •Use provider mirror for air-gapped environments
Terraform Sensitive Output Cannot Display
terraform.*Error:.*output.*value.*sensitive.*cannot display
- •Mark output as sensitive = true
- •Use nonsensitive() if value is safe to show
Terraform each.key Used Outside for_each
terraform.*Error:.*each\.key.*each\.value.*outside.*for_each
- •each.key/each.value only valid inside resource with for_each
- •Use local variable or for expression instead
Terraform Data Source Returned No Results
terraform.*Error:.*data.*source.*returned.*no results
- •Verify filter criteria match existing resources
- •Check resource exists in same region/account
Terraform Create Before Destroy Name Conflict
terraform.*Error:.*lifecycle.*create_before_destroy.*conflict
- •Use name_prefix instead of name for auto-naming
- •Add random suffix to resource names
Terraform Module Output Not Exported
terraform.*Error:.*module.*output.*not.*exported
- •Add output block in child module for needed value
- •Reference as module.<name>.output_name
Terraform Postcondition Check Failed
terraform.*Error:.*postcondition.*failed
- •Verify resource was created with expected attributes
- •Check postcondition logic matches actual state
Terraform Replace Triggered By Configuration Error
terraform.*Error:.*replace_triggered_by.*lifecycle
- •Use resource address reference in replace_triggered_by
- •Attribute must be in same module scope
Terraform Tainted Resource Replacement
terraform.*Error:.*resource.*tainted.*will.*be.*replaced
- •Run terraform untaint <address> to cancel replacement
- •Review why resource was tainted (previous failed apply)
Terraform Provider Schema Upgrade Needed
terraform.*Error:.*provider.*schema.*mismatch.*upgrade
- •Upgrade provider version in required_providers
- •Run terraform init -upgrade
Terraform Child Module Provider Requirement
terraform.*Error:.*child.*module.*requires.*provider
- •Pass provider to module: providers = { aws = aws.us }
- •Configure required provider in module's required_providers
Terraform Optional Attributes Feature
terraform.*Error:.*optional attributes.*experimental
- •Use optional() in variable type constraint (TF 1.3+)
- •Upgrade Terraform to version supporting optional()