muvaf
commented
2 years ago Currently, there are two fields that authenticate Terraform call that are used for authentication, Configuration and Env:
type Setup struct {
Version string
Requirement ProviderRequirement
Configuration ProviderConfiguration // this is a map[string]interface{}
Env []string
}Configuration could take information like region, project etc. where as Env is usually used for credentials. However, I think having two different information source for auth adds unnecessary complexity and the initial reason we had this separation is now gone with https://github.com/crossplane-contrib/terrajet/pull/143 . I believe we should remove either one of them and have a single place to contain all information necessary to authenticate; if it is possible let's use Env []string for all authentication and remove Configuration OR have Configuration ProviderConfiguration only to contain everything. FWIW, relying on Env is a bit riskier since provider may accept some auth configs that are not exposed as env vars (very rare?) whereas HCL file can contain any information TF allows you to set.
stale[bot]
What problem are you facing?
How could Terrajet help solve your problem?
Initially, we were using the main Terraform configuration file
main.tf.jsonto specify provider credentials in a per-resource manner. However, due to some security concerns associated with putting credentials into Terraform configuration files and to prevent accidental leaks (such as credentials appearing in logs * in other diagnostic info) we had switched to injecting credentials via env. variables.Now that at least for the provider logs part we are implementing a more secure strategy with #143, we are in a position to reconsider this decision. While doing so we should consider security best practices but also specifying provider configuration/credentials in the main Terraform configuration file makes scenarios such as #38 easier even may be possible.
We had a discussion with @muvaf and @turkenh to open this issue to track this line of thought.