"use_local_config": conflicts with auth_token

[sapslaj]

Terraform Version, ArgoCD Provider Version and ArgoCD Version

Terraform version: v1.4.5
ArgoCD provider version: v5.4.0
ArgoCD version: v2.6.3

Affected Resource(s)

• provider configuration

Terraform Configuration Files

terraform {
  required_version = "~> 1.4.5"

  required_providers {
    argocd = {
      source  = "oboukili/argocd"
      version = "~> 5.4.0"
    }
  }
}

variable "argocd_use_local_config" {
  type    = bool
  default = false
}

provider "argocd" {
  server_addr      = "argocd.example.com:443"
  use_local_config = var.argocd_use_local_config
}

# Placeholder resource just to get the provider working
resource "argocd_cluster" "placeholder" {
  config {}
}

Debug Output

Panic Output

N/A

Steps to Reproduce

Using above config:

1. Set ARGOCD_AUTH_TOKEN
2. Run a plan
3. Error:

Planning failed. Terraform encountered an error while generating this plan.

╷
│ Error: Conflicting configuration arguments
│ 
│   with provider["registry.terraform.io/oboukili/argocd"],
│   on main.tf line 17, in provider "argocd":
│   17: provider "argocd" {
│ 
│ "auth_token": conflicts with use_local_config
╵
╷
│ Error: Conflicting configuration arguments
│ 
│   with provider["registry.terraform.io/oboukili/argocd"],
│   on main.tf line 18, in provider "argocd":
│   18:   use_local_config = var.argocd_use_local_config
│ 
│ "use_local_config": conflicts with auth_token

However,

1. Run argocd login
2. Set ARGOCD_CONTEXT
3. Set TF_VAR_argocd_use_local_config="true"
4. Run a plan
5. Plan will succeed:

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following
symbols:
  + create

Terraform will perform the following actions:

  # argocd_cluster.placeholder will be created
  + resource "argocd_cluster" "placeholder" {
      + id   = (known after apply)
      + info = (known after apply)

      + config {
        }
    }

Plan: 1 to add, 0 to change, 0 to destroy.

Expected Behavior

Setting use_local_config = false should not conflict with using an auth token.

Actual Behavior

Two errors:

• "auth_token": conflicts with use_local_config
• "use_local_config": conflicts with auth_token

Attempting to only use environment variables (e.g. not setting use_local_config at all) also results in errors when trying to use ARGOCD_CONTEXT:

╷
│ Error: Missing required argument
│ 
│   with provider["registry.terraform.io/oboukili/argocd"],
│   on main.tf line 17, in provider "argocd":
│   17: provider "argocd" {
│ 
│ "password": one of `auth_token,core,password,use_local_config,username` must be specified
╵
╷
│ Error: Missing required argument
│ 
│   with provider["registry.terraform.io/oboukili/argocd"],
│   on main.tf line 17, in provider "argocd":
│   17: provider "argocd" {
│ 
│ "username": one of `auth_token,core,password,use_local_config,username` must be specified
╵

Important Factoids

For background, I'm attempting to make this provider work both on local machines as well as via CI. CI uses an auth token while local machines can use the Argo CD CLI with argocd login --sso. Argo CD is set up with SSO via Okta but there is a non-SSO service account with an API token just for CI. Argo CD is available via VPN on our network so from the provider's perspective the server address is always directly accessible.

A workaround is to have a override.tf when running locally:

# providers.tf
provider "argocd" {
}

# providers_override.tf
provider "argocd" {
  use_local_config = true
}

This is undesirable because it needs to be done for every instance where the provider is being used.

The provider changes introduced in v5.3.0 / #268 don't appear to be related. The same issue happens on v5.2.0 of the provider.

References

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

[sapslaj]

fwiw removing auth_token and use_local_config from each other's ConflictsWith seems to remove the issue in my testing. That said, there might be some side effects from that change with how it validates the config now.

diff --git a/argocd/provider.go b/argocd/provider.go
index ab2707c..11933a2 100644
--- a/argocd/provider.go
+++ b/argocd/provider.go
@@ -62,7 +62,6 @@ func Provider() *schema.Provider {
 					"config_path",
 					"core",
 					"password",
-					"use_local_config",
 					"username",
 				},
 			},
@@ -132,7 +131,6 @@ func Provider() *schema.Provider {
 					"core",
 					"username",
 					"password",
-					"auth_token",
 				},
 			},
 			"user_agent": {
@@ -172,7 +170,6 @@ func Provider() *schema.Provider {
 				Optional:    true,
 				Description: "Use the authentication settings found in the local config file. Useful when you have previously logged in using SSO. Conflicts with `auth_token`, `username` and `password`.",
 				ConflictsWith: []string{
-					"auth_token",
 					"core",
 					"password",
 					"username",
@@ -184,7 +181,6 @@ func Provider() *schema.Provider {
 				DefaultFunc: schema.EnvDefaultFunc("ARGOCD_CONFIG_PATH", nil),
 				Description: "Override the default config path of `$HOME/.config/argocd/config`. Only relevant when `use_local_config`. Can be set through the `ARGOCD_CONFIG_PATH` environment variable.",
 				ConflictsWith: []string{
-					"auth_token",
 					"core",
 					"password",
 					"username",

[onematchfox]

@sapslaj I agree this behaviour is a bit strange. Unfortunately, Terraform's ConflictsWith function is not cognisant of "default" values and will error regardless of whether an attribute is set to true or false. Fixing this is something we will look to address in future when migrating to the terraform-plugin-framework (although that is a much larger piece of work and will not likely happen for quite a while). For the time being, you can achieve what you are trying to do by setting the default value of argocd_use_local_config to null rather than false. If that doesn't work for you, then please let me know, and I can reopen this issue.

[sapslaj]

@onematchfox Aww man I forgot about null. I just tested it out and that seems to be working for our use case.

For anyone else who encounters this issue, here's the minimum config that does work:

terraform {
  required_version = "~> 1.4.5"

  required_providers {
    argocd = {
      source  = "oboukili/argocd"
      version = "~> 5.4.0"
    }
  }
}

variable "argocd_use_local_config" {
  type     = bool
  default  = null # <- note the `null`
}

provider "argocd" {
  use_local_config = var.argocd_use_local_config
}

resource "argocd_cluster" "placeholder" {
  config {}
}

Setting ARGOCD_AUTH_TOKEN in CI works as intended and setting ARGOCD_CONTEXT and TF_VAR_argocd_use_local_config=true on local machines is also working as intended.