Initial commit (functionality but not tests)

Author: Christian Doucette

internal/client/client.go

@@ -81,10 +81,10 @@ func getTokenFromCreds(services *disco.Disco, hostname svchost.Hostname) string
 //
 // Internally, this function caches configured clients using the specified
 // parameters
-func GetClient(tfeHost, token string, insecure bool) (*tfe.Client, error) {
-	config, err := configure(tfeHost, token, insecure)
+func GetClient(tfeHost, token string, insecure bool) (*tfe.Client, bool, error) {
+	config, sendCredentialDeprecationWarning, err := configure(tfeHost, token, insecure)
 	if err != nil {
-		return nil, err
+		return nil, sendCredentialDeprecationWarning, err
 	}
 
 	clientCache.Lock()
@@ -93,13 +93,13 @@ func GetClient(tfeHost, token string, insecure bool) (*tfe.Client, error) {
 	// Try to retrieve the client from cache
 	cached := clientCache.GetByConfig(config)
 	if cached != nil {
-		return cached, nil
+		return cached, sendCredentialDeprecationWarning, nil
 	}
 
 	// Discover the Terraform Enterprise address.
 	host, err := config.Services.Discover(config.TFEHost)
 	if err != nil {
-		return nil, fmt.Errorf("failed to create client: %w", err)
+		return nil, sendCredentialDeprecationWarning, fmt.Errorf("failed to create client: %w", err)
 	}
 
 	// Get the full Terraform Enterprise service address.
@@ -109,7 +109,7 @@ func GetClient(tfeHost, token string, insecure bool) (*tfe.Client, error) {
 		service, err := host.ServiceURL(tfeServiceID)
 		target := &disco.ErrVersionNotSupported{}
 		if err != nil && !errors.As(err, &target) {
-			return nil, fmt.Errorf("failed to create client: %w", err)
+			return nil, sendCredentialDeprecationWarning, fmt.Errorf("failed to create client: %w", err)
 		}
 
 		// If discoErr is nil we save the first error. When multiple services
@@ -133,15 +133,15 @@ func GetClient(tfeHost, token string, insecure bool) (*tfe.Client, error) {
 		// First check any constraints we might have received.
 		if constraints != nil {
 			if err := CheckConstraints(constraints); err != nil {
-				return nil, err
+				return nil, sendCredentialDeprecationWarning, err
 			}
 		}
 	}
 
 	// When we don't have any constraints errors, also check for discovery
 	// errors before we continue.
 	if discoErr != nil {
-		return nil, discoErr
+		return nil, sendCredentialDeprecationWarning, discoErr
 	}
 
 	// Create a new TFE client.
@@ -151,13 +151,13 @@ func GetClient(tfeHost, token string, insecure bool) (*tfe.Client, error) {
 		HTTPClient: config.HTTPClient,
 	})
 	if err != nil {
-		return nil, fmt.Errorf("failed to create client: %w", err)
+		return nil, sendCredentialDeprecationWarning, fmt.Errorf("failed to create client: %w", err)
 	}
 
 	client.RetryServerErrors(true)
 	clientCache.Set(client, config)
 
-	return client, nil
+	return client, sendCredentialDeprecationWarning, nil
 }
 
 // CheckConstraints checks service version constrains against our own

internal/client/config.go

@@ -165,9 +165,17 @@ func credentialsSource(credentials CredentialsMap) auth.CredentialsSource {
 	return creds
 }
 
+// Using presence of TFC_AGENT_VERSION to determine if this provider is running on HCP Terraform / enterprise
+func providerRunningInCloud() bool {
+	_, present := os.LookupEnv("TFC_AGENT_VERSION")
+	return present
+}
+
 // configure accepts the provider-level configuration values and creates a
 // clientConfiguration using fallback values from the environment or CLI configuration.
-func configure(tfeHost, token string, insecure bool) (*ClientConfiguration, error) {
+func configure(tfeHost, token string, insecure bool) (*ClientConfiguration, bool, error) {
+	sendCredentialDeprecationWarning := false
+
 	if tfeHost == "" {
 		if os.Getenv("TFE_HOSTNAME") != "" {
 			tfeHost = os.Getenv("TFE_HOSTNAME")
@@ -186,7 +194,7 @@ func configure(tfeHost, token string, insecure bool) (*ClientConfiguration, erro
 		v := os.Getenv("TFE_SSL_SKIP_VERIFY")
 		insecure, err = strconv.ParseBool(v)
 		if err != nil {
-			return nil, fmt.Errorf("TFE_SSL_SKIP_VERIFY has unrecognized value %q", v)
+			return nil, sendCredentialDeprecationWarning, fmt.Errorf("TFE_SSL_SKIP_VERIFY has unrecognized value %q", v)
 		}
 	}
 
@@ -198,7 +206,7 @@ func configure(tfeHost, token string, insecure bool) (*ClientConfiguration, erro
 	// Parse the hostname for comparison,
 	hostname, err := svchost.ForComparison(tfeHost)
 	if err != nil {
-		return nil, fmt.Errorf("invalid hostname %q: %w", tfeHost, err)
+		return nil, sendCredentialDeprecationWarning, fmt.Errorf("invalid hostname %q: %w", tfeHost, err)
 	}
 
 	httpClient := tfe.DefaultConfig().HTTPClient
@@ -232,17 +240,19 @@ func configure(tfeHost, token string, insecure bool) (*ClientConfiguration, erro
 
 	// If a token wasn't set in the provider configuration block, try and fetch it
 	// from the environment or from Terraform's CLI configuration or configured credential helper.
+
 	if token == "" {
 		if os.Getenv("TFE_TOKEN") != "" {
 			token = getTokenFromEnv()
 		} else {
+			sendCredentialDeprecationWarning = providerRunningInCloud()
 			token = getTokenFromCreds(services, hostname)
 		}
 	}
 
 	// If we still don't have a token at this point, we return an error.
 	if token == "" {
-		return nil, ErrMissingAuthToken
+		return nil, sendCredentialDeprecationWarning, ErrMissingAuthToken
 	}
 
 	return &ClientConfiguration{
@@ -251,5 +261,5 @@ func configure(tfeHost, token string, insecure bool) (*ClientConfiguration, erro
 		TFEHost:    hostname,
 		Token:      token,
 		Insecure:   insecure,
-	}, nil
+	}, sendCredentialDeprecationWarning, nil
 }

internal/provider/provider.go

@@ -153,19 +153,30 @@ func configure() schema.ConfigureContextFunc {
 			providerOrganization = os.Getenv("TFE_ORGANIZATION")
 		}
 
-		tfeClient, err := configureClient(rd)
+		tfeClient, sendCredentialDeprecationWarning, err := configureClient(rd)
 		if err != nil {
 			return nil, diag.FromErr(err)
 		}
 
+		var diagnosticWarnings diag.Diagnostics = nil
+		if sendCredentialDeprecationWarning {
+			diagnosticWarnings = diag.Diagnostics{
+				diag.Diagnostic{
+					Severity: diag.Warning,
+					Summary:  "Authentication method invalid for TFE Provider with HCP Terraform and Terraform Enterprise",
+					Detail:   "Use a TFE_TOKEN variable in the workspace or the token argument for the provider. This authentication method will be deprecated in a future version.",
+				},
+			}
+		}
+
 		return ConfiguredClient{
 			tfeClient,
 			providerOrganization,
-		}, nil
+		}, diagnosticWarnings
 	}
 }
 
-func configureClient(d *schema.ResourceData) (*tfe.Client, error) {
+func configureClient(d *schema.ResourceData) (*tfe.Client, bool, error) {
 	hostname := d.Get("hostname").(string)
 	token := d.Get("token").(string)
 	insecure := d.Get("ssl_skip_verify").(bool)

internal/provider/provider_next.go

@@ -111,13 +111,17 @@ func (p *frameworkProvider) Configure(ctx context.Context, req provider.Configur
 		}
 	}
 
-	tfeClient, err := client.GetClient(data.Hostname.ValueString(), data.Token.ValueString(), data.SSLSkipVerify.ValueBool())
+	tfeClient, sendCredentialDeprecationWarning, err := client.GetClient(data.Hostname.ValueString(), data.Token.ValueString(), data.SSLSkipVerify.ValueBool())
 
 	if err != nil {
 		res.Diagnostics.AddError("Failed to initialize HTTP client", err.Error())
 		return
 	}
 
+	if sendCredentialDeprecationWarning {
+		res.Diagnostics.AddWarning("Authentication method invalid for TFE Provider with HCP Terraform and Terraform Enterprise", "Use a TFE_TOKEN variable in the workspace or the token argument for the provider. This authentication method will be deprecated in a future version.")
+	}
+
 	configuredClient := ConfiguredClient{
 		Client:       tfeClient,
 		Organization: data.Organization.ValueString(),