Allow configuring provider interactively (e.g. for 2FA/MFA) #238
Description
Problem Statement
Many APIs today employ Multi-Factor Authentication mechanisms. In most cases relevant SDKs also provide automation of this authentication in some ways. Most/all Terraform providers however don't take full advantage of this automation today.
Providing 2FA token is often done out of bound, e.g. in case of AWS a configuration file is managed by external tooling, such as https://github.com/broamski/aws-mfa
This provides users a way to authenticate with an API, but this approach comes with certain drawbacks:
- because Terraform doesn't manage the authentication/session fully it has no way of knowing when a token may expire
- even when it does know that token expires, it can not act on it if the authentication requires user input
At best scenario Terraform will therefore error out with an authentication error, but more often silently keep retrying and expecting transient errors or external tooling to refresh tokens.
It is currently impossible for providers to dynamically prompt for any configuration as this is responsibility of the core and providers only provide schema based on which core can ask the user.
Proposal
There isn't any concrete idea on how to solve this yet, but in short Terraform could give providers a way of prompting user for parts of the provider configuration, such as TOTP token.