[Bug]: credentials required even if no resource are used

Terraform Core Version

1.8.5

AWS Provider Version

5.54.1

Affected Resource(s)

General error with the provider.

If no aws resources are used, because user input vars only require resources from other clouds, aws provider still expects valid credentials.

Expected Behavior

If no aws resources are created the provider does not need any credentials. The provider does not need to be called at all.

Actual Behavior

The provider expects valid credentials and the terraform plan/apply fails even if no aws resorces are referenced or created.

Relevant Error/Panic Output Snippet

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create

Terraform planned the following actions, but then encountered a problem:

  # cloudflare_record.api_server["a"] will be created
  + resource "cloudflare_record" "api_server" {
      + allow_overwrite = false
      + comment         = "Managed by terraform"
      + created_on      = (known after apply)
      + hostname        = (known after apply)
      + id              = (known after apply)
      + metadata        = (known after apply)
      + modified_on     = (known after apply)
      + name            = "example.com"
      + proxiable       = (known after apply)
      + ttl             = (known after apply)
      + type            = "A"
      + value           = "127.0.0.1"
      + zone_id         = (sensitive value)
    }

  # cloudflare_record.api_server["aaaa"] will be created
  + resource "cloudflare_record" "api_server" {
      + allow_overwrite = false
      + comment         = "Managed by terraform"
      + created_on      = (known after apply)
      + hostname        = (known after apply)
      + id              = (known after apply)
      + metadata        = (known after apply)
      + modified_on     = (known after apply)
      + name            = "example.com"
      + proxiable       = (known after apply)
      + ttl             = (known after apply)
      + type            = "AAAA"
      + value           = "::1"
      + zone_id         = (sensitive value)
    }

Plan: 2 to add, 0 to change, 0 to destroy.

Changes to Outputs:
  + aws_route53    = {}
  + cloudflare_dns = {
      + a    = "127.0.0.1"
      + aaaa = "::1"
    }

Error: No valid credential sources found

  with provider["registry.terraform.io/hashicorp/aws"],
  on main.tf line 18, in provider "aws":
  18: provider "aws" {

Please see https://registry.terraform.io/providers/hashicorp/aws
for more information about providing credentials.

Error: failed to refresh cached credentials, refresh cached SSO token failed, unable to refresh SSO token, operation error  
SSO OIDC: CreateToken, https response error StatusCode: 400, RequestID: d5ab2811-8398-4315-bdb0-3212eb6f672f,
InvalidGrantException:

Terraform Configuration Files

# ################# SETUP #################
terraform {
  required_version = ">= 1.0"
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~>5.54"
    }
    cloudflare = {
      source  = "cloudflare/cloudflare"
      version = "~>4.33"
    }
  }
}
provider "cloudflare" {
  api_token = var.dns_record.token
}
provider "aws" {
  region = "us-east-1"
}

# ################# VARS #################
variable "dns_record" {
  type = object({
    zone     = string
    provider = string
    token    = string
  })
  sensitive   = true
  default     = { zone = "", provider = "cloudflare", token = "xxx" }
  description = "DNS record for the controlplane. Provider can be cloudflare, aws, azure"
}

# ################# LOCALS #################
locals {
  # DNS
  dns_records    = { a = "127.0.0.1", aaaa = "::1" }
  cloudflare_dns = var.dns_record.provider == "cloudflare" ? local.dns_records : {}
  aws_route53    = var.dns_record.provider == "aws" ? local.dns_records : {}
}
output "cloudflare_dns" {
  value = local.cloudflare_dns
}
output "aws_route53" {
  value = local.aws_route53
}

# ################# RESOURCEES #################
resource "cloudflare_record" "api_server" {
  for_each = local.cloudflare_dns
  zone_id  = var.dns_record.zone
  name     = "example.com"
  value    = each.value
  type     = upper(each.key)
  comment  = "Managed by terraform"
}
resource "aws_route53_record" "api_server" {
  for_each = local.aws_route53
  # Does not work either without logging in
  # for_each = {}
  zone_id = var.dns_record.zone
  name    = "example.com"
  type    = upper(each.key)
  records = [each.value]
}

For the variable set this in the tfvars:

dns_record = {
  provider = "cloudflare",
  zone = "xxx",
  token = "xxx"
}

Steps to Reproduce

Init the root module and run terraform plan/apply. The output shows that no aws resources will be created, still the aws provider needs credentials. This prevents dynamic setups where for example users can reference different DNS providers. It makes is hard to provide general purpose modules for using multible clouds for easy use.

Debug Output

Error: No valid credential sources found

  with provider["registry.terraform.io/hashicorp/aws"],
  on main.tf line 18, in provider "aws":
  18: provider "aws" {

Please see https://registry.terraform.io/providers/hashicorp/aws
for more information about providing credentials.

Error: failed to refresh cached credentials, refresh cached SSO token failed, unable to refresh SSO token, operation error  
SSO OIDC: CreateToken, https response error StatusCode: 400, RequestID: d5ab2811-8398-4315-bdb0-3212eb6f672f,
InvalidGrantException:

Panic Output

No response

Important Factoids

Other providers do not seem to have a problem with this. If I want to create only aws dns records, I do not need to provide valid cloudflare credentials. But I'm not quiet sure if this problem is cause by the provider or TF istself.

References

No response

Would you like to implement a fix?

None

hashicorp / terraform-provider-aws