1

The variable in the Terraform file (infrastructure.tf) is declared like this:

variable "tags" {
  type = map(string)
}

This is the PowerShell code that executes the terraform command-line program with the plan command:

$command = "plan"
$options = @(
    "'--var=tags={a:\`"b\`"}'"
    "--out=path/to/out.tfplan"
)

Write-Host terraform,$command,$options

& terraform $command $options

The Write-Host command's output is:

terraform plan '--var=tags={a:\"b\"}' --out=path/to/out.tfplan

If I copy paste that into an interactive PowerShell 7.2 (pwsh) session then it works. But the & terraform command fails with this error:

Error: Too many command line arguments

To specify a working directory for the plan, use the global -chdir flag.

I know the Terraform documentation for the plan command warns against using PowerShell to run the command, due to quoting issues (emphasis mine):

PowerShell on Windows cannot correctly pass literal quotes to external programs, so we do not recommend using Terraform with PowerShell when you are on Windows. Use Windows Command Prompt instead.

Unfortunately they don't specify if they mean Windows PowerShell 5.1 included in Windows (powershell.exe), or also PowerShell 7.2 running on Windows (pwsh). But with pwsh it is clearly possible to run the plan command in an interactive PowerShell session (I am using macOS, but some others use Windows) and pass literal quotes to an external program. It just seems that running the same command from a .ps1 file does not work.

Since our whole dev/ops tooling is PowerShell-based, I'd like to know: is this possible?

Because if it is not, then we will have to work around this limitation.

Edit: Some things I've tried:

  • Use splatting for $options (e.g. @options)
  • Add the stop-parsing token (e.g. --%) as the first item in $options (that token is actually "only intended for use on Windows platforms")
  • Many variations of single/double quotes
  • Remove the \ (I am not actually sure why this seems required, the map literal syntax is either {"x"="y"} or {x:"y"}), but without the \ copy-pasting the printed command line in an interactive PowerShell also does not work.
Michiel van Oosterhout
  • 22,839
  • 15
  • 90
  • 132
  • Give `& terraform $command @options` a shot – Mathias R. Jessen Dec 22 '22 at 15:30
  • Thanks for the suggestion @MathiasR.Jessen, unfortunately just using the splat syntax does not seem to make a difference. – Michiel van Oosterhout Dec 22 '22 at 16:35
  • I've added the `[powershell-core]` tag. I'm unclear on whether you need a _Windows_ solution, a _Unix_ solution, or both. Please add the relevant tags. Note that your original approach cannot work, because the `'` characters would become a _literal part of your argument_. – mklement0 Dec 22 '22 at 17:08
  • 1
    In case it helps with seeing how Terraform is understanding the command line that PowerShell built, you can set the environment variable `TF_LOG=INFO` to make Terraform generate some internal logs. Early on in that output should be a line starting with `CLI command args:`, followed by a Go syntax representation of the sequence of arguments Terraform understood. – Martin Atkins Dec 22 '22 at 17:18
  • 1
    For what you're trying here to work, Terraform must see the entire sequence `-var=tags={a={"b"}}` as a single element in that sequence. Terraform is showing the strings in quotes, so there will be one extra level of backslash escaping just to represent the Go quoted string syntax. – Martin Atkins Dec 22 '22 at 17:20
  • Terraform on Windows expects a command line using the same syntax as would be expected by the Visual C++ Runtime Library. Those rules are summarized here: https://learn.microsoft.com/en-us/cpp/c-language/parsing-c-command-line-arguments – Martin Atkins Dec 22 '22 at 17:22
  • PowerShell itself constructs the final command line based on its own rules, and I'm not familiar enough with it to say how to force PowerShell to generate quoting that follows those rules, but hopefully those are helpful hints at least on what _Terraform_ is expecting, and so you can find out how to convince PowerShell to generate a command line in that syntax. – Martin Atkins Dec 22 '22 at 17:25
  • 1
    I overcomplicated the answer: what it boils down to: omit the embedded `'...'`, and it should work, on all platforms - except in 7.3.0 and 7.3.1, where you additionally need `$PSNativeCommandArgumentPassing = 'Legacy'`. Please see the tl;dr section I've added to the top of the answer. – mklement0 Dec 22 '22 at 17:34

1 Answers1

2

tl;dr

  • Omit the embedded enclosing '...' around --var=..., because they will become a literal part of your argument.

  • The - unfortunate - need to manually \-escape the embedded " instances, even though PowerShell itself does not need it, is the result of a long-standing bug that was finally fixed in PowerShell (Core) 7.3.0; in 7.3.0 and up to at least 7.3.1, the fix is in effect by default, which breaks the solution below, and therefore requires $PSNativeCommandArgumentPassing = 'Legacy'; however, it looks like the fix will become opt-in in the future, i.e. the old, broken behavior (Legacy) will become the default again - see this answer.

  • Using Write-Host to inspect the arguments isn't a valid test, because, as a PowerShell command, it isn't subject to the same rules as an external program.

    • For ways to troubleshoot argument-passing to external programs, see the bottom section of this answer.
$command = "plan"
$options = @(
    "--var=tags={a:\`"b\`"}" # NO embedded '...' quoting
    "--out=path/to/out.tfplan"
)

# No point in using Write-Host

& { # Run in a child scope to localize the change to $PSNativeCommandArgumentPassing

  # Note: Only needed if you're (also) running on PowerShell 7.3+
  $PSNativeCommandArgumentPassing = 'Legacy'

  & terraform $command $options
}

How to control the exact process command line on Windows / pass arguments with embedded double quotes properly on Unix:

Note: The solution above relies on PowerShell's old, broken behavior, and while it works in the case at hand, a fully robust and less conceptually confusing solution requires more explicit control over how the arguments are passed, as shown below.

A cross-edition, cross-version, cross-platform solution:

Assuming that terraform must see --var=tags={a:\"b\"} on its process command line on Windows, i.e. needs to see the argument as verbatim --var=tags={a:"b"} after parsing its command line, combine --%, the stop-parsing token, with splatting, which gives you full control over how the Windows process command line is built behind the scenes:

$command = "plan"
$options = @(
    '--%'
    '--var=tags={a:\"b\"}'
    '--out=path/to/out.tfplan'
)

& { # Run in a child scope to localize the change to $PSNativeCommandArgumentPassing

  # !! Required in v7.3.0 and up to at least v7.3.1, due to a BUG.
  $PSNativeCommandArgumentPassing = 'Legacy'

  & terraform $command @options
}

This creates the following process command line behind the scenes on Windows (using an example terraform path):

C:\path\to\terraform.exe plan  --var=tags={a:\"b\"} --out=path/to/out.tfplan

Note:

  • In PowerShell (Core) 7.3.0 and at least up to 7.3.1, --% is broken by default, in that its proper functioning is mistakenly tied to value of the v7.3+ $PSNativeCommandArgumentPassing preference variable; thus, (temporarily) setting $PSNativeCommandArgumentPassing = 'Legacy' is required, as shown above - see GitHub issue #18664 for the bug report.

  • Even though --% is primarily intended for Windows, it works on Unix-like platforms too, as long as you use the Microsoft C/C++ command-line syntax rules to formulate the arguments; specifically, this means:

    • only use " characters for quoting (with syntactic function)
    • use \ only to escape " chars.

  • While you can use --% without splatting, doing so comes with severe limitations - see this answer.

A simpler, but Windows-only cross-edition, cross-version solution:

Calling via cmd /c also gives you control over how the command line is constructed:

$command = "plan"
$options = @(
    '--var=tags={a:\"b\"}'
    '--out=path/to/out.tfplan'
)

cmd /c "terraform $command $options"

Note: This is often more convenient than --%, but suboptimal, because:

  • The intermediary cmd.exe call creates extra overhead.
  • % characters may be interpreted by cmd.exe, and, in unquoted arguments, additional metacharacters such as & and ^ - preventing that requires extra effort.

A v7.3+ cross-platform solution:

Relying on PowerShell's corrected behavior in v7.3+ (no need for manual \-escaping anymore) requires setting $PSNativeCommandArgumentPassing to 'Standard'.

  • Note: If you target only Unix-like platforms, that isn't necessary.
$command = "plan"
$options = @(
    '--var=tags={a:"b"}' # Note: NO \-escaping of " required anymore.
    '--out=path/to/out.tfplan'
)

& { # Run in a child scope to localize the change to $PSNativeCommandArgumentPassing

  # Necessary on Windows only.
  $PSNativeCommandArgumentPassing = 'Standard'

  & terraform $command $options
}

Note: On Windows, this creates a slightly different process command line than the solutions above; notably, --var=tags={a:\"b\"} is enclosed in "..." as a whole; however, well-behaved CLIs should parse this as verbatim --var=tags={a:"b"} too, whether enclosed in "..." or not.

C:\path\to\terraform.exe plan  "--var=tags={a:\"b\"}" --out=path/to/out.tfplan
mklement0
  • 382,024
  • 64
  • 607
  • 775
  • Amazing summary and background information, thanks! – Michiel van Oosterhout Dec 23 '22 at 07:53
  • 1
    Glad to hear it, @MichielvanOosterhout; my pleasure. Unfortunately, argument-passing to external programs is a mess in PowerShell, and the recent attempt to fix it has created even more confusion. I've proposed a way forward that doesn't rely on a preference variable [here](https://github.com/PowerShell/PowerShell/issues/18660#issuecomment-1349795248), but its chances of getting adopted aren't good. – mklement0 Dec 23 '22 at 08:38