Remove default "terraform" partner_id #4747
Comments
schuettecarsten
changed the title
|
This could be accomplished via user agents and we'd be none the wiser. |
|
Honest question: why not just set your own value in the config to override their default? It seems to be that there would be no reporting to Azure at all once you’ve done that. |
So that settles it, if hashicorp clarifies they aren’t actually getting detailed information about the deployments then I guess we're ok with Hashicorp making a bit of money off the project they’ve poured so much money in first place. Btw, thank you Hashicorp for creating Terraform 🎉 |
|
If it's just a "referral code" if you will, and Hashicorp confirms they don't get any sort of deployment data (since this seems to be a maybe) then I have zero problems with this situation. It's the absolute least we can do to support the project. |
|
I just posted this on Hacker News as well: Hi everyone, I'm the founder of HashiCorp. I want to make something clear up front that this does NOT allow us to see resource usage by Terraform user and does NOT result in credits or revenue sharing at all. HashiCorp has no direct access to this information in any form. Before explaining "why" we do this, I do want to apologize and say that adding this without proper explanation was a mistake. It isn't clear why it's there and I think enough companies have hurt users with features like this that defaulting to a negative reaction makes sense. I'm sorry. I promise (and will explain) that our usage is not nefarious, and even further this ID does not give us access to anything directly. The "why": the partner ID lets Microsoft better track Terraform usage internally (with data they already have access to, just lets them filter it by Terraform). Microsoft does share aggregate information with us ("x% of all Azure workloads") but does not go any more granular than that. This information is used by Microsoft to gauge how much investment to make into Terraform as well as what resources are a priority to fix any issues or make improvements to. Microsoft is a big partner of ours1 and as part of that partnership they employ full-time people to improve the Terraform provider. Part of making that partnership successful is measuring the output of it and this is one mechanism that allows them to do that. I can say that the usage information given by this partner code has directly resulted in more headcount being assigned to the "azurerm" Terraform provider that may not have been otherwise assigned. Note that all this partner ID does is let Microsoft filter by "Terraform." They already have and use all information around what resources are being spun up by accounts (as you would expect any IaaS or even SaaS to do). This doesn't introduce anything else other than that easier filter for them. The partner ID used by Terraform was provided directly by Microsoft and generated by them. It is not associated with our Azure accounts at all. This is an extra assurance that we don't have access to any partner information using this ID. Some have pointed out that the docs specifically state that this is used for credit/revenue sharing. That is a feature of the partner ID but not one that we use. Azure is a large, complex platform and features are overloaded for different use cases. In our case, the partner ID does NOT provide us with any information, credits, or revenue. Zero. Going forward, we will be building an option to opt out of using this partner ID. It was already noted in other comments that we made it configurable since there are other use cases for it that a Terraform user might want to set. We haven't made a direct option to opt-out and we will do that in the next release. As a workaround today, you can set any partner ID you want (an invalid value) and we will send that and that will function similarly. Note that for years all our providers have also sent a custom user agent that notes Terraform and the version of Terraform being used. We haven't been secret about this (I've publicly tweeted about it many times), but it feels important to call out in this comment as well. This information could also be used by providers to determine Terraform usage. Similarly, HashiCorp has no direct access to this information. I'm happy to answer any questions, and once again I'm sorry about how this wasn't communicated up front. |
Thank you for clarification! For me, is would be absolutely okay if Hashicorp gets some kind of revenue or credits, as Terraform is a really great tool. My biggest issue was the documentation, that the id-issuer can get more or less detailed information about the deployments. If it's clear that this does not happen, I'm fine. |
This comment was marked as abuse.
This comment was marked as abuse.
|
Apologies for not properly vetting the change with the community before releasing it. We will ensure that the intent behind the changes we introduce in the future is clear. It's been noted that the community has expressed concerns that Terraform does not cover some of the latest, important features in Azure. As Mitchell stated, the only goal of this addition was to marshal more resources towards Terraform provider for Azure, and an Azure partner customer usage attribution program allows us to do that. For more information about the partnership program, you can visit https://docs.microsoft.com/en-us/azure/marketplace/azure-partner-customer-usage-attribution |
|
Hi @rekcus2, I would agree with you if we were making available any information that isn't already available. As noted in my response, Microsoft already has full access to all the information anyways associated by rich information like user ID and often organization ID (this is Microsoft data, not Terraform). The partner ID makes it easier for them to justify supporting this provider further. It doesn't give us direct access to any of it. Therefore, the partner ID only serves to help this MPL2-licensed OSS project by giving us access to more full time help in maintaining it. It does not cost us or the user any PII since that user information is being submitted anyways via any API calls (Terraform or not). Therefore, default opt-out in this case would only serve to harm both the users and the project. And default opt-in does not send any more user information than is already sent (and already associated by an account). @markbernard I do appreciate the defense, but I'd like to ask that we keep the discussion trended towards kindness. This goes for us all in accordance with our community guidelines. https://www.hashicorp.com/community-guidelines |
This comment has been minimized.
This comment has been minimized.
|
👋 Thanks for opening this issue and raising this. We've opened #4751 which includes a new feature to allow users to opt-out of this Default Terraform Partner ID; which will ship in a new version of the AzureRM Provider later today (v1.36.1). When this release becomes available it'll be possible to opt out of the Partner ID either in the Provider Block, like so: provider "azurerm" {
version = "=1.36.1"
disable_terraform_partner_id = true
}or by setting the Environment Variable Shortly after the release is available the Provider Documentation will include some more information on this and how to opt-out. I'll post an update here when that's available - but thanks again for raising this, apologies that we didn't include an option to opt-out in the initial release. Thanks! |
|
I'm sorry @rekcus2 but I hid your comment. Anyone with a GitHub account can still choose to view the comment if they want. While there were reasonable opinions raised in it, it contained inflammatory language that would only serve to offend and hurt myself and potentially members of this community. You're welcome to participate but only if you agree to follow our community guidelines: https://www.hashicorp.com/community-guidelines My only response to your comment at this stage is perhaps that I respectively disagree. |
This comment has been minimized.
This comment has been minimized.
@rekcus2
Despite this potential example of poor communication, Hashicorp has a lot of goodwill from the community and most people are probably willing to give then the benefit of the doubt. |
This comment was marked as abuse.
This comment was marked as abuse.
|
👋 Version 1.36.1 of the Azure Provider has been released - you can upgrade by specifying the version in your provider block: and then running As mentioned above this release contains support for opting out of the Default Terraform Partner ID - more information can be found in the Terraform Website Documentation. Thanks! |
|
@mitchellh I think this would have been a great discussion on the original PR, where a perfectly reasonable question was raised, and either ignored or answered out of band. |
|
Point of clarification as I work for Microsoft with UK partners. The "credit" for using Customer Usage Attribution is purely recognition. There is nothing financial directly related to it. The data is very aggregated and generalised so as a partner you cannot interrogate it for any customer level information. |
|
This topic came to a close already, and @mitchellh did an amazing job of addressing people's immediate reaction of fear and distrust (in the current climate of capricious companies taking every opportunity to seize data). That all said @richeney I think coming to a forum such as this and claiming that Microsoft cares about customer privacy risks setting you up to be attacked. If Microsoft truly cared about these things they wouldn't have relationships with oppressive regimes, be operating data centres for mass surveillance, and perhaps the least significant, on this sliding scale... the absurd amount of unavoidable "telemetry" in Windows 10 which has been the subject of a number of legal challenges world-wide. Microsoft has been improving in recent years, and their commitment to open source, especially is gratifying, but trust is hard won, and easily lost. |
|
I wouldn't want this to go off topic based on a subjective comment so I edited my post to purely the key objective facts. My point was that using partner_id (and Hashicorp's more recent default value) is not linked to a commercial rebate or incentive. One poster had inferred that from the word "credit". And then @mitchellh said "Some have pointed out that the docs specifically state that this is used for credit/revenue sharing. " I thought it was important to correct that and say that this is solely a recognition mechanism and that applies to all partners who use it, not just Hashicorp. |
|
I'm going to lock this issue, the posts above from @mitchellh and @tombuildsstuff address the technical concerns and privacy concerns raised I believe. If people have additional or new concerns please open a new issue, the additional discussion is probably best had in another forum outside of GitHub issues. |
Please remove the default partner_id from azurerm that was introduced in #4663. If no provider_id is specified, then no provider_id should be sent to Azure.
Using the default "terraform" partner_id is absolutely unacceptable. The partner_id is used for a Microsoft program called Azure Template Tracking. Partners who provide their partner id will get credits or some kind of (possibly confidential) information about the deployments. So, maybe "terraform" gets detailed information about our deployment structure. For us, this is a very critical security and compliance issue.
From Microsoft documentation:
This program will allow ISVs who deploy their software on an Azure customer’s infrastructure an opportunity to get credit for the impact of their software.
The data generated by the Azure ISV Customer Usage Attribution program will be used for ISV partners to qualify for partner programs by providing a automated method of linking a customers usage to the ISVs software.
ISV partners will receive reporting for deployments from the Azure ISV Customer Usage Attribution program. Data may be anonymized for deployments from outside of Azure Marketplace. Reporting will be made available in the Cloud Publisher Portal, the same platform where GUIDs will be registered and partners can configure and manage listings for Azure Marketplace.
The text was updated successfully, but these errors were encountered: