Add support for username/password authentication

[vrabbi]

vRA version 8.1 Terraform version 0.12 terraform-provider-vra plugin version built from master branch yesterday

Is your feature request related to a problem? Please describe. this is an enhancement not a bug

Describe the solution you'd like Adding the ability to allow username password instead of refresh token to the provider. refresh tokens change and therefore are more cumbersome to manage especially as part of automated pipelines calling terraform. also there are cases where the token expires mid run and then there are issues and terraform fails to apply. by adding the username password auth option and having the provider retrieve the token similar to the VRA 7 provider (uses bearer tokens also in the backend) or the vSphere proider (which also uses tokens for authentication) the implementation is much smoother.

Describe alternatives you've considered currently i have a cron on my computer that runs a bash script that retrieves the refresh token and saves it in an environment variable i use in my terraform files. this method works for terraform opensource when not collaborating with others. this solution is not relevant though for terraform enterprise/cloud or even opensource when collaborating

Additional context im not sure how this would be implemented with VRA Cloud as i dont have an environment and dont know how you retrieve tokens from it but for VRA 8 it should be very simple and would be truly helpful.

[dmettem]

Hi @vrabbi,

vRA Cloud doesn't support getting a refresh token using username and password. So even if this implemented, this would have to be only for vRA on-prem.

Even if were to be implemented to work only for vRA8, there are couple challenges with respect to using username and password and generating a token every time a command is run.

For long running commands, Provider already supports token renewal where a new access_token is generated every time a 401 error is returned from remote vRA services. For provider to renew the access_token, provider configuration should include refresh_token.

Also refresh_token is valid for about 90-180 days depending on the settings and access_token is valid for about 8 hours if retrieved from /iaas/api/login and I think for about 30 mins if retrieved from CSP api.

Are you still seeing the token expire issues if you are providing refresh_token?

[vrabbi]

Thanks for the detailed response. The issue is not expiring in the run. The issue is multi part.

1. We have a use case for using terrafrom enterprise and utilizing the gitops flow. The issue with a refresh token is that every user who is using the system (over 100 developers) would need to retrieve the token and update it in the tf enterprise vault every 90 days. While this isn't terrible in many use cases it is concerning for the specific end users here.
2. Using the refresh token and utilizing terrafrom enterprise becomes even more problematic in terms of the requirement then to give all end users the rbac permissions to manage variables which is a security issue.

[vrabbi]

Any updates on this?

[vrabbi]

@dmettem any updates on this? Is this something that is out of the scope of the provider or something that could be added? Just trying to figure out my different options

[dmettem]

@vrabbi - Sorry for getting back late. At the moment, this is not in scope of the provider as there is no common way to do it between vRA Cloud and vRA 8.x.

I'll get back to you if anything changes once I discuss with the rest of the team.

[tenthirtyam]

It may make more sense for the vRA on-prem to have an enhancement similar to vRA Cloud for API tokens. Adn then perhaps, leverage Terraform + Vault for storing and updating...

[shyamchander01]

it would be really make sense , if could have vra 7 like username , password feature in vra8 (on-prem) for terraform enterprise.