Troubleshooting “Terraform Permission Denied” on Ubuntu 20.04

As a DevOps Engineer, encountering a “Permission Denied” error with Terraform on Ubuntu 20.04 is a common, yet often frustrating, experience. This guide will walk you through diagnosing and resolving these issues, focusing on typical scenarios and providing direct, actionable solutions.

---

1. The Root Cause

The “Permission Denied” error in Terraform on Ubuntu 20.04 stems from fundamental Linux file system permissions. Essentially, the user attempting to execute Terraform commands lacks the necessary privileges to read, write, or execute specific files or directories that Terraform needs to operate.

Common scenarios include:

• Terraform Executable Permissions: The terraform binary itself does not have execute (+x) permissions for the current user.
• Working Directory Permissions: The current working directory where Terraform commands are executed, or its subdirectories (e.g., .terraform where provider plugins are stored), does not grant write access to the user. This prevents Terraform from downloading plugins, creating lock files, or managing its internal state.
• State File Ownership/Permissions: The terraform.tfstate file, which tracks the state of your infrastructure, is owned by another user (e.g., root) or has restrictive permissions, preventing the current user from reading or writing to it. This often happens if previous Terraform commands were run with sudo.
• Provider Plugin Permissions: Individual provider plugins downloaded into the .terraform/providers directory might have incorrect ownership or permissions, making them inaccessible.

2. Quick Fix (CLI)

The following commands address the most common permission issues. Execute them within your Terraform project directory.

Identify the Current User: First, confirm the user you are currently operating as. This is crucial for correctly assigning ownership.

whoami

Step 1: Grant Execute Permissions to the Terraform Binary Ensure the Terraform executable itself is runnable. Adjust the path if your terraform binary is installed elsewhere (e.g., /usr/local/bin/terraform).

TERRAFORM_BIN_PATH=$(which terraform)
if [ -f "$TERRAFORM_BIN_PATH" ]; then
    sudo chmod +x "$TERRAFORM_BIN_PATH"
    echo "Granted execute permissions to: $TERRAFORM_BIN_PATH"
else
    echo "Terraform binary not found in PATH or not a regular file. Please ensure Terraform is installed and in your PATH."
fi

Step 2: Correct Ownership and Permissions for the Working Directory This is often the most critical step. It ensures your current user owns the Terraform project directory and its contents, granting full read/write/execute permissions.

# Grant current user ownership of the working directory and its contents recursively
sudo chown -R $(whoami):$(whoami) .

# Ensure current user has read, write, and execute permissions for directories and files
# 'u+rwX' gives owner read/write, and execute permission for directories,
# or execute if it's already executable for files.
chmod -R u+rwX .

echo "Recursively set ownership and permissions for the current directory and its contents."

Step 3: Re-initialize Terraform (Important for Plugin Issues) If the problem was related to provider plugins or the .terraform directory, re-initializing Terraform can clear out problematic cached files and re-download them with the correct permissions.

terraform init -reconfigure

The -reconfigure flag forces Terraform to disregard any existing configuration in the .terraform directory and re-evaluate the backend and provider configurations. This is particularly useful if ownership issues affected these internal directories.

3. Configuration Check

After applying the quick fixes, verify the permissions to ensure they are correctly set.

Verify Terraform Binary Permissions: Check the permissions of the terraform executable. Look for x (execute) for the owner (u).

ls -l $(which terraform)
# Expected output example: -rwxr-xr-x 1 your_user your_group ... /usr/local/bin/terraform

Verify Current Directory Permissions: Ensure the owner has write (w) permissions for the current directory.

ls -ld .
# Expected output example: drwxrwxr-x 3 your_user your_group ... .

Verify .terraform Directory Permissions (if present): If the .terraform directory exists, ensure your user owns it and has write permissions.

ls -ld .terraform
# Expected output example: drwxrwxr-x 5 your_user your_group ... .terraform

Verify terraform.tfstate Permissions (if present): If a terraform.tfstate file exists, ensure your user owns it and has write permissions.

ls -l terraform.tfstate
# Expected output example: -rw-rw-r-- 1 your_user your_group ... terraform.tfstate

Understand the Output:

• The first column (-rwxr-xr-x) indicates file type and permissions. r (read), w (write), x (execute).
  • The first character (- for file, d for directory).
  • Next three: Owner permissions.
  • Next three: Group permissions.
  • Last three: Others permissions.
• The third column (e.g., your_user) should match the output of whoami.
• The fourth column (e.g., your_group) should be your primary group.

4. Verification

To confirm the permissions issues are resolved, attempt to run your standard Terraform workflow commands.

1. Re-initialize Terraform: Even if you ran -reconfigure before, a clean init without it can confirm all is well.

   terraform init

   • Success indication: Terraform reports initializing the backend and installing providers without “Permission Denied” errors.

2. Generate a Plan: Attempt to generate an execution plan.

   terraform plan

   • Success indication: Terraform successfully reads the state, compares it with your configuration, and proposes changes.

If these commands execute without permission errors, you have successfully resolved the “Terraform Permission Denied” issue on your Ubuntu 20.04 system. Always remember to manage file permissions carefully, especially in shared environments or when dealing with sudo.