oci-go-sdk icon indicating copy to clipboard operation
oci-go-sdk copied to clipboard

Published 20 hours ago verified publisher icon oracle

don't hijack TF_VAR, please use OCI instead.

Open tkellen opened this issue 10 months ago • 3 comments

Please consider using your own prefix for environment variables (OCI suggested here). For consumers of this SDK that are not using terraform, TF_VAR is nonsensical. For consumers of terraform, the fact that TF_VAR references are accepted with no corresponding terraform variable blocks is very confusing.

Given this local configuration...

export TF_VAR_tenancy_ocid="..."
export TF_VAR_compartment_ocid="..."
export TF_VAR_user_ocid="..."
export TF_VAR_fingerprint="..."
export TF_VAR_private_key="..."

It should NOT be possible to authenticate to OCI using this terraform configuration (but currently is):

provider "oci" {}

When using TF_VAR as a prefix, this configuration would be consistent with every other usage of terraform that exists in the ecosystem today:

provider "oci" {
  region       = "us-chicago-1"
  tenancy_ocid = var.tenancy_ocid
  user_ocid    = var.user_ocid
  fingerprint  = var.fingerprint
  private_key  = var.private_key
}

variable "tenancy_ocid" {}
variable "user_ocid" {}
variable "fingerprint" {}
variable "private_key" {}

By changing the supported prefix to OCI and removing TF_VAR you would be introducing a breaking change for downstream consumers. Authentication (in terraform) without explicit variable references would stop working. Authenication in every other context for consumers that aren't in terraform, would make a bit more sense.

If this change is landed, the following configuration would produce "normal" behavior consistent with every other provider in the ecosystem:

export OCI_tenancy_ocid="..."
export OCI_compartment_ocid="..."
export OCI_user_ocid="..."
export OCI_fingerprint="..."
export OCI_private_key="..."

provider oci {}

For reference, in the AWS world the same is possible using AWS-prefixed environment variables like AWS_ACCESS_KEY etc.

If this is landed, the documentation here should simply switch from TF_VAR prefixes to OCI prefixes. Again, though this would be a breaking change, it would produce behavior consistent with the entire terraform ecosystem. If there are OSS repositories for this documentation I would be happy to submit companion PRs that explain this "fix".

/ref https://github.com/oracle/oci-go-sdk/issues/318#issuecomment-2074824309

tkellen avatar Apr 24 '24 12:04 tkellen

Thank you for your pull request and welcome to our community! To contribute, please sign the Oracle Contributor Agreement (OCA). The following contributors of this PR have not signed the OCA:

To sign the OCA, please create an Oracle account and sign the OCA in Oracle's Contributor Agreement Application.

When signing the OCA, please provide your GitHub username. After signing the OCA and getting an OCA approval from Oracle, this PR will be automatically updated.

If you are an Oracle employee, please make sure that you are a member of the main Oracle GitHub organization, and your membership in this organization is public.

oracle-contributor-agreement[bot] avatar Apr 24 '24 12:04 oracle-contributor-agreement[bot]

@sahilg11, I believe you authored support for this originally over at https://github.com/terraform-providers/terraform-provider-oci/, can you please weigh in on the veracity of this request?

tkellen avatar Apr 24 '24 13:04 tkellen

Also worth noting that the environment variables supported by the CLI (written in python) are not supported in the language-specific SDKs which further confuses things for consumers. See: https://github.com/oracle/oci-go-sdk/issues/495.

tkellen avatar Apr 24 '24 15:04 tkellen