ConflictsWith deprecation warning

[dak1n1]

SDK version

github.com/hashicorp/terraform-plugin-sdk/v2 v2.4.4

Use-cases

Summary:

Warn users prior to the breaking change of enabling ConflictsWith on provider configuration attributes.

Details:

In the Kubernetes and Helm providers, we're currently considering enabling ConflictsWith on some mutually-exclusive authentication options in the provider config. However, to do so would be a breaking change, since the provider has supported setting multiple authentication methods since it was first created.

In the past, the provider would intake all configuration options (even ones that cannot be used together) and it would assemble a Kubernetes client config from it. The actual options being used to authenticate to a cluster could be much different from what the user expects, and there was a fairly widespread problem of users accidentally connecting to the wrong cluster. To mitigate this, we want to make the configuration process more straightforward and explicit, so that users know exactly which of their options are actually being used.

Attempted Solutions

As far as I could tell, the only way to send a warning to users (without using debug logging) would be to use the Deprecated field on the schema attribute. I tried this, but I couldn't find a way to conditionally set Deprecated, since I only want to warn them when multiple options are used together (simulating ConflictsWith, but with a deprecation warning instead of a fatal error).

Proposal

I want to be careful not to disrupt the users' CI pipelines that would come to a halt if I were to enable ConflictsWith without warning. My proposal is to create a new field that we could set on the schema, similar to Deprecated, where we could give it a warning string and also pass in the names of the conflicting attributes.

"client_key": {
	Type:        schema.TypeString,
	Optional:    true,
	Description: "PEM-encoded client certificate key for TLS authentication.",
	Type:          schema.TypeString,
	Optional:      true,
	DefaultFunc:   schema.EnvDefaultFunc("KUBE_CLIENT_KEY_DATA", nil),
	ConflictsWithWarning: "`client_key` is incompatible with one or more of the configured options. The provider will choose one  and continue, but this feature will be removed in a future version. Please update your configuration to choose only one of the following:", []string{"config_path", "config_paths", "username", "password", "exec", "insecure"},
},

References

• Add ConflictsWith to provider authentication config terraform-provider-kubernetes#1141

[bflad]

It may be possible to return a diagnostic warning using schema.Provider.ConfigureContextFunc, although warnings themselves can cause strange behavior before Terraform CLI version 0.15 releases.

[dak1n1]

FYI, I talked with Paddy about this feature request and he gave me some direction about how I can implement it in the SDK. I'll have a PR for it soon.