[Feature Request] Support for terraform login credentials

[sean-nixon]

Terraform 0.12.21 added a terraform login command which populates credentials at $HOME/.terraform.d/credentials.tfrc.json (not sure if the Windows Path differs). It would be great if the TFE provider could pick up those credentials automatically in addition to the currently supported methods of the TFE_TOKEN environment variable and the CLI config file.

[straubt1]

This would be great!

[tristanmorgan]

Is this related to #111 in how credentials are retrieved?

[sean-nixon]

@tristanmorgan I think credentials_helper is separate from the terraform login functionality and credential storage

[tristanmorgan]

My poorly worded comment was more about how the TFE provider should use the same code for storage and retrieval of tokens as the login in terraform cli. similar to this issue in the provider for Vault.

[sean-nixon]

Gotcha. I don’t disagree with you there.

[bendrucker]

Hey guys, they are related and have the same solution. terraform login (and logout) does call a credential helper if you have one defined. Shameless plug for a credential helper you might want to try 😄:

https://github.com/bendrucker/terraform-credentials-keychain

Here's an example of using the cliconfig package to load the configuration and get credentials for a given host:

https://github.com/bendrucker/terraform-cloud-cli/blob/master/cmd/meta.go#L30-L72

That ends up invoking the credential helper as long as you don't have statically defined token for that host.

Terraform is versioned as a CLI and not a library, so there are no versioning guarantees around those packages. There may be some hesitation from the maintainers around re-introducing that coupling now that terraform-plugin-sdk is a thing. If a Terraform version made breaking changes, the provider can't readily switch on TerraformVersion and call different versions of the libraries, since the two versions will have the same major identifier.

I don't have a pressing personal need for this feature but I'm happy to provide feedback on a PR.

[rorychatterton]

This provider already supports .terraformrc - it should be trivial to upgrade it to support the $HOME/.terraform.d/credentials.tfrc.json file.

The file parsing logic is here:
https://github.com/terraform-providers/terraform-provider-tfe/blob/7995bdae588a5758da9ecf422284b2c919010ea4/tfe/provider.go#L212

This would just need to be split into two file provider types, one that parses HCL, one JSON.

The lookup logic is in these two files:
Nix: https://github.com/terraform-providers/terraform-provider-tfe/blob/master/tfe/config_unix.go
Windows: https://github.com/terraform-providers/terraform-provider-tfe/blob/master/tfe/config_windows.go

I'd suggest we want to set the order of residence as credentials.tfrc.json BEFORE .terraformrc

Then finally just update the docs with the new lookup.

I won't get a chance to look at this in the next week, but seems relatively easy for somebody else to pickup. In the interim, I'd suggest tracking the credential helper convo in the other thread linked #111

[grantorchard]

After a quick look at that code I thought it worth trying this as a workaround, and it seems to be working working with the TFE provider after a couple of different tests.

export TERRAFORM_CONFIG=/Users/grant/.terraform.d/credentials.tfrc.json