Do API request to validate access before plan

[alexsomesan]

Description

This change introduces a check for valid credentials at the beginning of plan. This is to ensure that users get a clear meaningful error message rather than a raw error from the API. If credentials are invalid but the API is otherwise accessible the users will get this message:

Error: Invalid credentials

  on main.tf line 5, in resource "kubernetes_manifest" "test-configmap":
   5: resource "kubernetes_manifest" "test-configmap" {

The credentials configured in the provider block are not accepted by the API
server. Error: Unauthorized

Set TF_LOG=debug and look for '[InvalidClientConfiguration]' in the log to see
actual configuration.

The check is performed by doing a simple GET call on the API endpoint using the path /apis which only responds to authenticated calls but otherwise doesn't require specific permissions like resource paths do.

This also avoids the problem reported in #159 where the cached RESTMapper will get stuck in retry loop when credentials are invalid.

Release Note

Release note for CHANGELOG:

* checks credentials against the API at plan time and avoid infinite retry loop (#159)

References

Fixes #159

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

[davidalger]

I like it 🥇

[achew22]

Thanks for the fix!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks!