Background
With the main OpenStack provider, it's possible to define it something like this:
terraform { required_providers { openstack = { source = "terraform-provider-openstack/openstack" version = "~> 1.48.0" } } required_version = ">= 1.3.0" } provider "openstack" { tenant_name = var.project }
The remaining settings can be imported via environment variables, simply by downloading the OpenRC file for the application credentials from Horizon, and sourcing it into your environment prior to running Terraform. That OpenRC file looks something like this:
#!/usr/bin/env bash export OS_AUTH_TYPE=v3applicationcredential export OS_AUTH_URL=https://openstack.eqiad1.wikimediacloud.org:25000/v3 export OS_IDENTITY_API_VERSION=3 export OS_REGION_NAME="eqiad1-r" export OS_INTERFACE=public export OS_APPLICATION_CREDENTIAL_ID=[snip] export OS_APPLICATION_CREDENTIAL_SECRET=[snip]
Since Terraform variables which are marked as sensitive=true only protects them from being displayed accidentally. While I'd hope that variables defining provider credentials aren't re-used elsewhere in a Terraform configuration and thus won't find their way into state, it's not guaranteed.
By forcing the credentials to be loaded dynamically, it avoids the issue of either forcing the user to specify the credentials at runtime (via -var, -var-file, or being prompted), or storing them in a *.tfvars file (or worse, in the configuration itself) which might get accidentally committed to source control. Using the OpenRC file also makes it much easier to set short-lived credentials which can be easily rotated by simply downloading and sourcing a new file into their shell.
The ask
Please can the Wikimedia CloudVPS provider *also* read from the OS_* environment variables if the values are not defined directly in Terraform configuration, in the same way that the existing OpenStack provider can?