Dynamic provider attribute credentials

[cdsre]

Checklist

• I have looked into the README and have not found a suitable solution or answer.
• I have looked into the documentation and have not found a suitable solution or answer.
• I have searched the issues and have not found a suitable solution or answer.
• I have upgraded to the latest version of this provider and the issue still persists.
• I have searched the Auth0 Community forums and have not found a suitable solution or answer.
• I agree to the terms within the Auth0 Code of Conduct.

Description

Most terraform providers support the concept of being able to pass attributes to resources and providers that are not known until apply time. See Provider Framework Docs

Not all values are guaranteed to be known when Configure is called. For example, if a practitioner interpolates a resource's unknown value into the block, that value may show up as unknown depending on how the graph executes:

resource "random_string" "example" {}

provider "examplecloud" {
  api_token = random_string.example.result
  endpoint  = "https://example.com/"
}

Auth0 provider use to work with these unkown values that would be interpolated at apply time. However due to a change added in 1.7.3 this no longer works. I had a discussion about this in #1074 with @duedares-rvj about this and tried to solve it a few times.

Expectation

The biggest problem trying to solve this is the auth0 provider is still using the SDKv2 plugin for the provider. In the framework plugin values can be checked with IsNull() and IsUnkown() to distinguish between an empty value and a value that's not yet been interpolated.

It seems that there is no appetite from the developers to regress the change added in 1.7.3 which broke this, so I would like to propose an additional, backwards compatible way to handle this that will still give the experience that 1.7.3 introduced for when the values are not provided. But will also allow users to utilise a provider attribute to indicate that the values will be dynamically provided by the apply.

I have a working model of this which I will submit as a PR but it roughly looks like

func ConfigureProvider(terraformVersion *string) schema.ConfigureContextFunc {
	return func(_ context.Context, data *schema.ResourceData) (interface{}, diag.Diagnostics) {
		domain := data.Get("domain").(string)
		clientID := data.Get("client_id").(string)
		clientSecret := data.Get("client_secret").(string)
		apiToken := data.Get("api_token").(string)
		audience := data.Get("audience").(string)
		debug := data.Get("debug").(bool)
		dynamicCredentials := data.Get("dynamic_credentials").(bool)

		if !dynamicCredentials && apiToken == "" && (clientID == "" || clientSecret == "" || domain == "") {
			return nil, diag.Diagnostics{
				{
					Severity: diag.Error,
					Summary:  "Missing environment variables",
					Detail: fmt.Sprintf("Either AUTH0_API_TOKEN or AUTH0_DOMAIN:AUTH0_CLIENT_ID:AUTH0_CLIENT_SECRET must be configured. " +
						"Ref: https://registry.terraform.io/providers/auth0/auth0/latest/docs"),
				},
			}
		}

This will continue to apply the behaviour introduced in 1.7.3 but can skip the validation of empty values when the user knows they will be interpolated at apply time. This makes it fully backwards compatible and allows via a provider flag to work as it did prior to 1.7.3

Reproduction

Up until release 1.7.3 the auth0 provider worked with dynamic values like this and allowed for attributes of the provider to be defined from other resources and worked with no issues

Given

terraform {
    required_providers {
        random = {
            source  = "hashicorp/random"
            version = "3.6.2"
        }
        auth0 = {
            source  = "auth0/auth0"
            version = "1.7.1"
        }
    }
}

module "auth0_config" {
    source = "./some_auth_module"
}

# This is added in the root module to avoid using the output from the auth0_config module as the data lookup can be
# delayed due to dependencies, as otherwise this causes reads on the provider alias to fail during the object refresh when planning
data "auth0_client" "user_management_m2m" {
    client_id = module.auth0_config.m2m_user_management_client_id
}

provider "auth0" {
    alias         = "user_management_auth0"
    client_id     = module.auth0_config.m2m_user_management_client_id
    client_secret = data.auth0_client.user_management_m2m.client_secret
    domain        = "example.com"
}

resource "auth0_user" "internal_admin_user" {
    provider        = auth0.user_management_auth0
    connection_name = "foo"
    email           = "[email protected]"
    email_verified  = true
}

When

However in 1.7.3 a change was introduced that forces that these values for the provider attributes must be known values at the time when the configure is called on the provider. With the same terraform code which works on 1.7.1 when upgraded to 1.7.3 no longer works and gets the error

Then

╷
│ Error: Invalid provider configuration
│
│ Provider "registry.terraform.io/auth0/auth0" requires explicit configuration. Add a provider block to the root module and configure the provider's required arguments as described in the provider      
│ documentation.
│
╵
╷
│ Error: Missing environment variables
│
│   with provider["registry.terraform.io/auth0/auth0"],
│   on <empty> line 0:
│   (source code not available)
│
│ Either AUTH0_API_TOKEN or AUTH0_DOMAIN:AUTH0_CLIENT_ID:AUTH0_CLIENT_SECRET must be configured. Ref: https://registry.terraform.io/providers/auth0/auth0/latest/docs
╵

Auth0 Terraform Provider version

1.7.3

Terraform version

1.8.2