Conversation
… unknown provider config Add lazy initialization for the project API client to handle the case where provider credentials (project_slug, project_api_key) reference resources being created in the same apply. Previously this caused a nil pointer dereference because Terraform marks such values as "unknown" during provider configuration. Changes: - Add ensureProjectClient() guard with mutex to all projectClient methods - Add SetProjectCredentials() for runtime credential injection - Add resource-level project_slug and project_api_key attributes to ory_oauth2_client for same-apply scenarios - Extract scheme constants to satisfy goconst linter Fixes #56
There was a problem hiding this comment.
Pull request overview
This pull request fixes a nil pointer dereference that occurred when creating an ory_oauth2_client resource whose provider credentials reference resources being created in the same terraform apply. When Terraform marks such values as "unknown" during provider configuration, the internal projectClient remained nil, causing a panic on the first API call. The fix introduces lazy initialization for the project API client with clear error messaging, and adds optional resource-level credential attributes to enable same-apply project and client creation.
Changes:
- Added lazy initialization with
ensureProjectClient()method guarding all 20+ project API client usages - Added
SetProjectCredentials()to allow runtime credential injection from resource-level attributes - Added optional
project_slugandproject_api_keyattributes toory_oauth2_clientschema
Reviewed changes
Copilot reviewed 8 out of 8 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| internal/client/client.go | Adds lazy initialization (ensureProjectClient) and credential setter (SetProjectCredentials) with mutex protection; adds guards to all project client methods; extracts URL scheme constants |
| internal/client/client_test.go | Adds 7 unit tests covering lazy initialization, credential setting, re-initialization, and missing credential scenarios |
| internal/resources/oauth2client/resource.go | Adds project_slug and project_api_key schema attributes; adds setResourceCredentials helper; calls credential setter in all CRUD operations |
| internal/resources/oauth2client/resource_test.go | Adds acceptance test for resource-level credentials feature |
| internal/resources/oauth2client/testdata/with_resource_credentials.tf.tmpl | Test configuration template for resource-level credentials |
| templates/resources/oauth2_client.md.tmpl | Adds "Resource-Level Credentials" documentation section with example |
| examples/resources/ory_oauth2_client/resource.tf | Adds same-apply example demonstrating resource-level credentials |
| docs/resources/oauth2_client.md | Generated documentation updates with new attributes and examples |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Replace the mutable SetProjectCredentials method with WithProjectCredentials that returns a new isolated OryClient. This eliminates shared state mutation and race conditions when multiple resources use different credentials. The new client shares the console API client with its parent but has its own project API client (lazily initialized), ensuring thread safety.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 8 out of 8 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| # Same-apply: Create project and OAuth2 client together | ||
| # Use resource-level credentials when the project doesn't exist yet | ||
| resource "ory_oauth2_client" "same_apply" { | ||
| project_slug = ory_project.main.slug | ||
| project_api_key = ory_project_api_key.main.value | ||
|
|
||
| client_name = "Created with Project" | ||
| grant_types = ["client_credentials"] | ||
| token_endpoint_auth_method = "client_secret_post" | ||
| scope = "api:read api:write" | ||
| } |
There was a problem hiding this comment.
The example references ory_project.main and ory_project_api_key.main resources that are not defined in this file. For a complete, working example, these resource definitions should be included. Consider adding:
resource "ory_project" "main" {
name = "my-project"
environment = "prod"
}
resource "ory_project_api_key" "main" {
project_id = ory_project.main.id
name = "terraform-key"
}before the ory_oauth2_client resource, or add a comment noting that these resources need to be defined elsewhere.
Description
Fixes a nil pointer dereference crash when creating an
ory_oauth2_clientresource whose provider credentials (project_slug,project_api_key) reference resources being created in the sameterraform apply. Terraform marks such values as "unknown" during provider configuration, leaving the internalprojectClientnil and causing a panic on the first API call.This PR adds lazy initialization for the project API client and introduces resource-level credential attributes so that
ory_oauth2_clientcan be created in the same apply as the project it belongs to.Changes
internal/client/client.goensureProjectClient()with mutex-protected lazy initialization, called as a guard in all 20+ methods that useprojectClientSetProjectCredentials(slug, apiKey)to allow runtime credential injection from resource-level attributesschemeHTTPS/schemeHTTPconstants to satisfygoconstlinterinternal/resources/oauth2client/resource.goproject_slugandproject_api_keyschema attributesSetProjectCredentials()before API calls in Create, Read, Update, and DeleteDocumentation & Examples
templates/resources/oauth2_client.md.tmplexamples/resources/ory_oauth2_client/resource.tfRelated Issues
Fixes #56
Type of Change
Checklist
make test)make format)Testing
ensureProjectClient()andSetProjectCredentials()(34 total, all pass)TestAccOAuth2ClientResource_withResourceCredentialstest; all 8 OAuth2 client acceptance tests pass against stagingScreenshots/Output
Before (crash):
After (clear error when credentials missing):
Acceptance tests: