Skip to content

AAP-58019: Added token auth info to Terraform Provider - DO NOT BACKPORT UNTIL RELEASE #5010

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

AAP-58019: Added token auth info to Terraform Provider - DO NOT BACKPORT UNTIL RELEASE #5010

wants to merge 1 commit into from

Conversation

@jonquilwilliams
Copy link
Contributor

@jonquilwilliams jonquilwilliams commented Nov 11, 2025
edited
Loading

@jonquilwilliams jonquilwilliams added documentation Improvements or additions to documentation Ready for technical review Content is ready for technical reviews 2.5 Content applies to AAP 2.5 Delay backport Content can't be backported to a release branch yet 2.6 Content applies for 2.6 labels Nov 11, 2025
dleehr
dleehr suggested changes Nov 18, 2025
View reviewed changes
Copy link

@dleehr dleehr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Minor suggestion around best practices for credentials needed for configuration.

downstream/modules/terraform-aap/proc-terraform-provider-configuring.adoc
host = "https://AAP_HOST"
username = "ansible"
password = "test123!"
token = "my-aap-token" # Also supports AAP_TOKEN environment variable
Copy link

@dleehr dleehr Nov 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe this example comes from our registry docs https://registry.terraform.io/providers/ansible/aap/latest/docs#example-usage, and have been thinking about we demonstrate best practices around tokens/passwords.

As a best practice we should not encourage putting a token (or password - anything secret) directly into a file like this since these files get committed to version control and shared. Putting secrets in them is just asking for trouble. We should make sure and that users are aware of that, and recommend using the AAP_TOKEN environment variable instead of putting a credential directly in the file.

The AWS provider has a pretty good warning that calls this out, so I suggest we include something like that in our docs (and what we put on the registry). From https://registry.terraform.io/providers/hashicorp/aws/latest/docs#provider-configuration:

Warning:
Hard-coded credentials are not recommended in any Terraform configuration and risks secret leakage should this file ever be committed to a public version control system.

Suggested change
token = "my-aap-token" # Also supports AAP_TOKEN environment variable
token = "my-aap-token" # Do not record credentials directly in Terraform configuration. Provide your token via the AAP_TOKEN environment variable.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@dleehr dleehr dleehr requested changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

2.5 Content applies to AAP 2.5 2.6 Content applies for 2.6 Delay backport Content can't be backported to a release branch yet documentation Improvements or additions to documentation Ready for technical review Content is ready for technical reviews

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jonquilwilliams @dleehr