Upgrading terraform from 0.10.7 to 0.11.1 breaks GOOGLE_CREDENTIALS ENVVAR

[ryan-mf]

Terraform Version

Terraform v0.11.1

Terraform Configuration Files

The HCL around the backend:

terraform {
  backend "gcs" {}
}

The init command we're using:

terraform init -backend=true -backend-config=bucket="tf-state-<our environment>" -backend-config=path="terraform/terraform.tfstate" -backend-config=project="<our GCP project name" -get-plugins=true

Debug Output

2018/01/08 17:13:10 [DEBUG] plugin: waiting for all plugin processes to complete...
Terraform backend setup successful. Proceeding...
2018/01/08 17:13:10 [INFO] Terraform version: 0.11.1 a42fdb0+CHANGES
2018/01/08 17:13:10 [INFO] Go runtime version: go1.9
2018/01/08 17:13:10 [INFO] CLI args: []string{"/usr/bin/terraform", "plan"}
2018/01/08 17:13:10 [DEBUG] Attempting to open CLI config file: /home/rwhite/.terraformrc
2018/01/08 17:13:10 Loading CLI configuration from /home/rwhite/.terraformrc
2018/01/08 17:13:10 [INFO] CLI command args: []string{"plan"}
2018/01/08 17:13:10 [TRACE] Preserving existing state lineage "dc043295-5f63-4d24-9848-4ec82535e554"
2018/01/08 17:13:10 [TRACE] Preserving existing state lineage "dc043295-5f63-4d24-9848-4ec82535e554"
2018/01/08 17:13:10 [DEBUG] plugin: waiting for all plugin processes to complete...
Failed to load backend:

Error configuring the backend "gcs": storage.NewClient() failed: dialing: cannot read credentials file: open {
<our entire service account key contents, which we're setting GOOGLE_CREDENTIALS ENVVAR to the output of>
}: file name too long

Expected Behavior

Terraform should have opened our Google Cloud Storage-based remote state using the service account JSON contents set in the GOOGLE_CREDENTIALS ENVVAR, without issue.

Actual Behavior

It complains that parsing the GOOGLE_CREDENTIALS ENVVAR is reading a file too long.
This worked fine up until 0.10.7, and only broke when trying to upgrade to 0.11.1

Steps to Reproduce

1. Install Terraform 0.10.7 or earlier.
2. Create a service account in Google IAM that has broad access to your GCP project.
3. Create a basic Terraform config of GCP resources, including using a GCS-based remote state.
4. Set the ENVVAR GOOGLE_CREDENTIALS (documented here: https://www.terraform.io/docs/providers/google/index.html) to the contents of the service account JSON file.
5. Watch terraform run fine after properly running init to create the storage bucket in GCS.
6. Upgrade Terraform to 0.11.1, and change nothing in the config.
7. Run terraform plan or apply, and watch it bail out with the above error.

Additional Context

We do run Terraform in a wrapper script, which basically exists to pre-set all the necessary per-ENV ENVVARS and decrypts our GPG-encrypted Terraform variables.tf file which contains sensitive passwords and other info. However, this has all worked fine for over a year and only stops working with 0.11.1. I can't find anything in the 0.11.x release notes that would point in any direction why this is suddenly broken.

[jbardin]

Hi @ryan-mf:

This should be fixed in master. You can find the entry under the 0.11.2 section of the CHANGELOG, and the referenced PR is #16865.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.