I am implementing a custom terraform module(X) and provider. The provider definition block requires some values which are necessary for its client authentication.
Both modules X and Y share the same state and the order of execution should be first Y than X. This is because some endpoints and a value that is required by X are only available after Y has executed. Problem is, since they share the same state, when running the terraform apply the ConfigureProvider RPC won’t have those values and the provider will not be able to authenticate.
I’ve tested a solution of using a data resource that receives these values and handles the authentication(removing this from the provider “configure” step). However two problems raised:
-
the token retrieved from the authentication only exists in the client(shared by all resources) until the PlanResourceChange RPC. In the next one (the apply ) it’s no longer there(the client object is a *pointer however it seems to be “reset”;
-
when importing resources since I don’t have access to the client I am not able to properly authenticate and so it fails to authenticate and furthermore to import the resource;
I’ve seen for other cases a possible solution would be to have a per-resource authentication however in my case that solution can’t be used due to server-side restrictions.
Also I’ve seen that in some other cases like the kubernetes hashicorp provider there is a similar dependency since when creating resources even if the kubernetes cluster is not yet created the provider is initialized successfully.
So, is it possible to circumvent this problem? My end goals are:
-
have the authentication done one time and reuse the received token to perform CRUD operations for all resources;
-
maintain modules X and Y in the same state while possibly having a direct dependency from resources in Y that X’s provider requires to authenticate;