​

Troubleshooting

• Cause: Terraform backend uses custom HTTP verbs; routes not wired.
• Fix: Add explicit routes in Echo: e.Add("LOCK", "/v1/backend/*", ...) and e.Add("UNLOCK", "/v1/backend/*", ...). Rebuild and restart.

• Cause: Backend update handler doesn’t read lock ID from query.
• Fix: Read lock ID from header X-Terraform-Lock-ID or query ID/id.

• Cause: The id already exists remotely; renaming the Terraform resource block doesn’t change the remote ID.
• Fix: Import (terraform import opentaco_unit.NAME <id>), change id, or delete the existing unit (./taco unit rm <id>).

• Fix (dev override):

ABS="$(pwd)/providers/terraform/opentaco"
cat > ./.terraformrc <<EOF
provider_installation {
  dev_overrides { "digger/opentaco" = "${ABS}" }
  direct {}
}
EOF
export TF_CLI_CONFIG_FILE="$PWD/.terraformrc"
terraform init -upgrade

• Cause: Auth is enforced by default; /v1 and /v1/backend/* require Authorization: Bearer <access>.
• Fix:
• Use ./taco login and then run unit commands; the CLI attaches Bearer automatically.
  • Ensure tokens exist in ~/.config/opentaco/credentials.json under the current --server.
  • Temporarily disable auth for Terraform backend testing with: ./opentacosvc -auth-disable.

• Cause: No valid access/refresh tokens or server’s signing key rotated.
• Fix: ./taco login --server <url> --force-login. For fewer re‑logins across restarts, pin OPENTACO_TOKENS_PRIVATE_KEY_PEM_PATH on the server.

• Cause: Path to taco is not executable or contains spaces without quotes.
• Fix: Use an absolute, quoted path and chmod +x the binary.

• Cause: Client thinks the tfstate object exists but is empty.
• Fix: Ensure you’re running a build where empty tfstate GET/HEAD returns 404. Rebuild/restart service and re‑run terraform init -reconfigure with use_lockfile = true.

• Cause: Leftover lock.
• Fix: ./taco unit unlock <id> <lock-id> (lock ID is positional). If unknown, check the last error Terraform printed; it includes the lock ID.