Buildkite Terraform Provider API 403

General
1

Greetings Buildkiters.

I am having a problem with terraform with authenticating to the api url when I do a terraform plan

Here is my setup:

providers.tf:

terraform {
  required_providers {
    buildkite = {
      source  = "buildkite/buildkite"
      version = "~> 0.9"
    }
  }
}

provider "buildkite" {
  organization = "my-team-slug"
  api_token    = "api-token-value"
}

Then I have a terraform file that defines a pipeline.

On terraform plan, I have issues getting the API to auth.

Buildkite API request failed: GET https://api.buildkite.com/v2/organizations/<MYTEAMSLUG>/pipelines/<PIPELINENAME> (status: 403)

When I take the same token thats defined in the provider, I can successfully hit the api with a curl by passing the auth: bearer $token command.

Even when I set the env var: BUILDKITE_API_TOKEN it still cant auth.

Is this some issue with the state potentially?

Thanks,
S

2

Hi sype!

Welcome to the community! :wave:

Typically when you run into an error like this, it’s because the token you are using is missing the correct scopes when using our Terraform Provider.

Because you have tested curling the API (our REST API), I’m going to assume you’ve given read_pipelines, but you’ll want to check that you also have the write_pipelines and write_suites scopes turned on for REST, as well as the token you are using has been enabled for GraphQL API access, as seen here: GitHub - buildkite/terraform-provider-buildkite: Terraform provider for Buildkite. All of these scopes are required for the Terraform Provider to function.

We have also done some work to the provider and released on the newer 1.0.x version now, which we’ve updated the provider docs here: Terraform Registry if you’re curious to see the latest changes and documentation surrounding the new release.

3

I think I experienced a bug. When I click save after enabling the “write_suites” scope, I get an error. Page not found, sorry, the page you 're trying to access could not be found.

4

Hey sype!

Do you have Test Analytics enabled? If so, that becomes a required scope to write to suites, but if not you can omit that scope and attempt your terraform plan again with the other 3 and that should work for you.

5

Hi Jared,

The scopes I see for this account and org are:

read_agents

write_agents

read_clusters

write_clusters

read_teams

read_artifacts

write_artifacts

read_builds

write_builds

read_job_env

read_build_logs

write_build_logs

read_organizations

read_pipelines

write_pipelines

read_pipeline_templates

write_pipeline_templates

read_user

read_suites

write_suites
6

Hi sype!

So you’ll want to enable: read_pipelines, write_pipelines and also check off the GraphQL API access for that token for your terraform plan to work. This is assuming you do not have Test Analytics enabled. I’ve attached a screenshot below.

image
image1712×2638 202 KB

7

I am still getting an error when I try to update anything on that page. I uncheck or check a scope box, and I click update api access token and I am met with:

image
image1048×922 103 KB

8

Hi sype!

Oh no, that’s not expected! Can you do me a favour and send in an email to us at support@buildkite.com, sharing the name of organization you’re a part of and we’ll take a look on our end to see what’s going wrong.