Remove default "terraform" partner_id

[schuettecarsten]

Please remove the default partner_id from azurerm that was introduced in #4663. If no provider_id is specified, then no provider_id should be sent to Azure.

Using the default "terraform" partner_id is absolutely unacceptable. The partner_id is used for a Microsoft program called Azure Template Tracking. Partners who provide their partner id will get credits or some kind of (possibly confidential) information about the deployments. So, maybe "terraform" gets detailed information about our deployment structure. For us, this is a very critical security and compliance issue.

From Microsoft documentation:

This program will allow ISVs who deploy their software on an Azure customer’s infrastructure an opportunity to get credit for the impact of their software.

The data generated by the Azure ISV Customer Usage Attribution program will be used for ISV partners to qualify for partner programs by providing a automated method of linking a customers usage to the ISVs software.

ISV partners will receive reporting for deployments from the Azure ISV Customer Usage Attribution program. Data may be anonymized for deployments from outside of Azure Marketplace. Reporting will be made available in the Cloud Publisher Portal, the same platform where GUIDs will be registered and partners can configure and manage listings for Azure Marketplace.

[lattwood]

This could be accomplished via user agents and we'd be none the wiser.

[kyleingraham]

Honest question: why not just set your own value in the config to override their default? It seems to be that there would be no reporting to Azure at all once you’ve done that.

[bithavoc]

So, maybe "terraform" gets detailed information about our deployment structure.

So that settles it, if hashicorp clarifies they aren’t actually getting detailed information about the deployments then I guess we're ok with Hashicorp making a bit of money off the project they’ve poured so much money in first place.

Btw, thank you Hashicorp for creating Terraform 🎉

[Omeryl]

If it's just a "referral code" if you will, and Hashicorp confirms they don't get any sort of deployment data (since this seems to be a maybe) then I have zero problems with this situation. It's the absolute least we can do to support the project.

[mitchellh]

I just posted this on Hacker News as well:

Hi everyone,

I'm the founder of HashiCorp.

I want to make something clear up front that this does NOT allow us to see resource usage by Terraform user and does NOT result in credits or revenue sharing at all. HashiCorp has no direct access to this information in any form.

Before explaining "why" we do this, I do want to apologize and say that adding this without proper explanation was a mistake. It isn't clear why it's there and I think enough companies have hurt users with features like this that defaulting to a negative reaction makes sense. I'm sorry. I promise (and will explain) that our usage is not nefarious, and even further this ID does not give us access to anything directly.

The "why": the partner ID lets Microsoft better track Terraform usage internally (with data they already have access to, just lets them filter it by Terraform). Microsoft does share aggregate information with us ("x% of all Azure workloads") but does not go any more granular than that.

This information is used by Microsoft to gauge how much investment to make into Terraform as well as what resources are a priority to fix any issues or make improvements to. Microsoft is a big partner of ours1 and as part of that partnership they employ full-time people to improve the Terraform provider. Part of making that partnership successful is measuring the output of it and this is one mechanism that allows them to do that. I can say that the usage information given by this partner code has directly resulted in more headcount being assigned to the "azurerm" Terraform provider that may not have been otherwise assigned.

Note that all this partner ID does is let Microsoft filter by "Terraform." They already have and use all information around what resources are being spun up by accounts (as you would expect any IaaS or even SaaS to do). This doesn't introduce anything else other than that easier filter for them.

The partner ID used by Terraform was provided directly by Microsoft and generated by them. It is not associated with our Azure accounts at all. This is an extra assurance that we don't have access to any partner information using this ID.

Some have pointed out that the docs specifically state that this is used for credit/revenue sharing. That is a feature of the partner ID but not one that we use. Azure is a large, complex platform and features are overloaded for different use cases. In our case, the partner ID does NOT provide us with any information, credits, or revenue. Zero.

Going forward, we will be building an option to opt out of using this partner ID. It was already noted in other comments that we made it configurable since there are other use cases for it that a Terraform user might want to set. We haven't made a direct option to opt-out and we will do that in the next release. As a workaround today, you can set any partner ID you want (an invalid value) and we will send that and that will function similarly.

Note that for years all our providers have also sent a custom user agent that notes Terraform and the version of Terraform being used. We haven't been secret about this (I've publicly tweeted about it many times), but it feels important to call out in this comment as well. This information could also be used by providers to determine Terraform usage. Similarly, HashiCorp has no direct access to this information.

I'm happy to answer any questions, and once again I'm sorry about how this wasn't communicated up front.

[schuettecarsten]

I'm happy to answer any questions, and once again I'm sorry about how this wasn't communicated up front.

Thank you for clarification!

For me, is would be absolutely okay if Hashicorp gets some kind of revenue or credits, as Terraform is a really great tool. My biggest issue was the documentation, that the id-issuer can get more or less detailed information about the deployments. If it's clear that this does not happen, I'm fine.

[rekcus2]

Going forward, we will be building an option to opt out

If you do not understand the word principle, you can stop reading now.

At the time of writing I was the 1st who downvoted that, while writing the 2nd came in, there are now 67 thumbs up. I think this is troubling and the fact that you peoples standards are so low is sad. Nowadays its seems companies deserve applause for not trying to sneak in some bullshit but instead apparently sneak it in for "bullgood" TM.

I am not debating if its OK and "not nefarious" at this point, its about principle! Its about data grabbing spyware producing tech giants like M$ and maybe HashiCorp may do in the future with this? Terms may change, data sharing might change, "bugs" TM may suddenly "accidentally" leak information that was never intended to be shared ... Why do you applaud that they only make it opt opt out after some backlash now? Opt out is bullshit! No matter where not matter for what. If its optional not needed data grabbing for whatever claim its bullshit to opt people in by default without explicitly asking. And bury some shit down in some terms somewhere is not asking. Things like this need to be opt in and NOT opt out! And you people need to have some standards. If you all lovingly give away your data then make them ask you and opt in for it!

[echuvyrov]

Apologies for not properly vetting the change with the community before releasing it. We will ensure that the intent behind the changes we introduce in the future is clear.

It's been noted that the community has expressed concerns that Terraform does not cover some of the latest, important features in Azure. As Mitchell stated, the only goal of this addition was to marshal more resources towards Terraform provider for Azure, and an Azure partner customer usage attribution program allows us to do that.

For more information about the partnership program, you can visit https://docs.microsoft.com/en-us/azure/marketplace/azure-partner-customer-usage-attribution

[mitchellh]

Hi @rekcus2, I would agree with you if we were making available any information that isn't already available. As noted in my response, Microsoft already has full access to all the information anyways associated by rich information like user ID and often organization ID (this is Microsoft data, not Terraform).

The partner ID makes it easier for them to justify supporting this provider further. It doesn't give us direct access to any of it. Therefore, the partner ID only serves to help this MPL2-licensed OSS project by giving us access to more full time help in maintaining it. It does not cost us or the user any PII since that user information is being submitted anyways via any API calls (Terraform or not).

Therefore, default opt-out in this case would only serve to harm both the users and the project. And default opt-in does not send any more user information than is already sent (and already associated by an account).

@markbernard I do appreciate the defense, but I'd like to ask that we keep the discussion trended towards kindness. This goes for us all in accordance with our community guidelines. https://www.hashicorp.com/community-guidelines

[rekcus2]

Microsoft already has full access to all the information anyways

OK if they have this all anyway why to you need to opt people into things then, that's a oxymoron. I and spare me the technical details, not interested. I say it again, its about principle not about this case. And like I expected people here to not get it, already got a response (deleted now) totally missing the point trying to make a point that my opinion does not matter because I do not know anything. I purposefully do not want to know! Because this does not change anything about principle! Opt out is bullSHIT! No matter how you spin it.

The partner ID makes it easier for them to justify supporting this provider further.

I do not give a flying fuck about making anything easier for any company like is M$. Neither should you, nor should you make your users share anything, especially if M$ apparently already has that data anyway. Again that's a oxymoron and I do not buy it.

[tombuildsstuff]

:wave:

Thanks for opening this issue and raising this.

We've opened #4751 which includes a new feature to allow users to opt-out of this Default Terraform Partner ID; which will ship in a new version of the AzureRM Provider later today (v1.36.1).

When this release becomes available it'll be possible to opt out of the Partner ID either in the Provider Block, like so:

provider "azurerm" {
  version = "=1.36.1"
  disable_terraform_partner_id = true
}

or by setting the Environment Variable ARM_DISABLE_TERRAFORM_PARTNER_ID to true.

Shortly after the release is available the Provider Documentation will include some more information on this and how to opt-out.

I'll post an update here when that's available - but thanks again for raising this, apologies that we didn't include an option to opt-out in the initial release.

Thanks!

[mitchellh]

I'm sorry @rekcus2 but I hid your comment. Anyone with a GitHub account can still choose to view the comment if they want. While there were reasonable opinions raised in it, it contained inflammatory language that would only serve to offend and hurt myself and potentially members of this community. You're welcome to participate but only if you agree to follow our community guidelines: https://www.hashicorp.com/community-guidelines

My only response to your comment at this stage is perhaps that I respectively disagree.

[rekcus2]

@mitchellh OK yeah I made it easy for you didn't I. Coward, fits your action, already censoring because you cant stand some "evil" word suddenly. Even though by first comment already had the same word in it. And no you are not sorry.

[AlgorithmsAreCool]

Just some random guy from HN here. Nothing to to with anything, proud to say I do not even know what terraform actually IS or what HashiCorp actually does (I know it when I hear about it again), did not even read the full claimed to be "not nefarious" purpose.

@rekcus2 Admitting that you don't know or care about what is being discussed and then expecting people to take your post seriously is an extraordinary display of hubris.

At the time of writing I was the 1st who downvoted that, while writing the 2nd came in, there are now 67 thumbs up. I think this is troubling and the fact that you peoples standards are so low is sad. Nowadays its seems companies deserve applause for not trying to sneak in some bullshit but instead apparently sneak it in for "bullgood" TM.

Despite this potential example of poor communication, Hashicorp has a lot of goodwill from the community and most people are probably willing to give then the benefit of the doubt.

[rekcus2]

@AlgorithmsAreCool I proudly admitted that, even though I changed it to

If you do not understand the word principle, you can stop reading now.

Because i do not want to get bored by the likes of you who demonstrate that they do not get my point at all. I do care about one thing and that is opt in is [need to self censor or I give the trigger happy censor boy a reason to delete me]. Context does NOT matter in my point, so there is no point for me to waste my time to educate myself of the funny oxymoron that they would "not need to share anything because M$ already has that data anyway and that is why they opt everyone in" thing. But you do not get that, I got that.

Hashicorp has a lot of goodwill from the community and most people are probably willing to give then the benefit of the doubt

Yeah most people have a Echo, Alexa in their homes, most people have no standards and post people are utter [self censored again]. Most people read news about spyware data giants abusing their data on a daily basis but because "Hashicorp has a lot of goodwill from the community" these [self censored] think its OK to have provide them with some loophole to grab anything on them in the future. Its not a conspiracy theory, this happened A LOT. Hashcorp has no influence over what M$ does with whatever user data they present to them apparently just for fun without any gain or need, haha. You really do not get it, its not about giving " Hashicorp ... the benefit of the doubt." here.

[tombuildsstuff]

👋

Version 1.36.1 of the Azure Provider has been released - you can upgrade by specifying the version in your provider block:

provider "azurerm" {
  version = "=1.36.1"
}

and then running terraform init -upgrade which will download the latest version of the Azure Provider and switch to using this.

As mentioned above this release contains support for opting out of the Default Terraform Partner ID - more information can be found in the Terraform Website Documentation.

Thanks!

[OliverCole]

@mitchellh I think this would have been a great discussion on the original PR, where a perfectly reasonable question was raised, and either ignored or answered out of band.

[richeney]

Point of clarification as I work for Microsoft with UK partners. The "credit" for using Customer Usage Attribution is purely recognition. There is nothing financial directly related to it. The data is very aggregated and generalised so as a partner you cannot interrogate it for any customer level information.

[leehambley]

This topic came to a close already, and @mitchellh did an amazing job of addressing people's immediate reaction of fear and distrust (in the current climate of capricious companies taking every opportunity to seize data).

That all said @richeney I think coming to a forum such as this and claiming that Microsoft cares about customer privacy risks setting you up to be attacked. If Microsoft truly cared about these things they wouldn't have relationships with oppressive regimes, be operating data centres for mass surveillance, and perhaps the least significant, on this sliding scale... the absurd amount of unavoidable "telemetry" in Windows 10 which has been the subject of a number of legal challenges world-wide.

Microsoft has been improving in recent years, and their commitment to open source, especially is gratifying, but trust is hard won, and easily lost.

[richeney]

I wouldn't want this to go off topic based on a subjective comment so I edited my post to purely the key objective facts.

My point was that using partner_id (and Hashicorp's more recent default value) is not linked to a commercial rebate or incentive. One poster had inferred that from the word "credit". And then @mitchellh said "Some have pointed out that the docs specifically state that this is used for credit/revenue sharing. " I thought it was important to correct that and say that this is solely a recognition mechanism and that applies to all partners who use it, not just Hashicorp.

[paultyng]

I'm going to lock this issue, the posts above from @mitchellh and @tombuildsstuff address the technical concerns and privacy concerns raised I believe. If people have additional or new concerns please open a new issue, the additional discussion is probably best had in another forum outside of GitHub issues.