Conditional Artifactory usage requires access token and URL while they are not used

[tomvmeer]

Describe the bug

artifactory_file data source with count of 0 causes Terraform plan to try to authenticate with Artifactory.

Requirements for and issue

• For deploying my terraform in the dev environment for testing I do not want to use Artifactory files but rather local files. I achieve this by dynamically setting the count of Artifactory files to 0 in my Terraform code. This works as expected and Artifactory is not used at all during my plan/apply (I can use fake artifact repositories and paths, which makes me believe the code blocks are ignored). The problem is that I do need to provide a real Artifactory URL and token, even though Terraform does not need them!
• Example code:

terraform {
  required_providers {
    artifactory = {
      source  = "jfrog/artifactory"
      version = "12.8.1"
    }
  }
}
provider "artifactory" {
  url           = null
  access_token  = null
}
data "artifactory_file" "jar-file" {
  count       = 0
  repository  = "foo"
  path        = "bar"
  output_path = ""
}

• Jfrog Enterprise Plus 7.77.11 rev 77711900
• Terraform v1.7.5
• provider v12.8.1

Expected behavior
The provider should not try to contact the Artifactory to Authenticate when the Artifactory is not being used at all.

[alexhung]

@tomvmeer The checks/usages for the Artifactory URL and token are part of the provider initialization process. At that time, the provider does not know if there are any resources being used so it is not possible to skip the check/usage.

[tomvmeer]

@alexhung thanks for your response! What I then don't understand is why this still works:

terraform {
  required_providers {
    artifactory = {
      source  = "jfrog/artifactory"
      version = "12.8.1"
    }
  }
}
provider "artifactory" {
  url           = null
  access_token  = null
}

... some none Artifactory related code

The provider seems to understand no resources will be created using it and it does not initialize?

[alexhung]

@tomvmeer This is most likely Terraform itself sees that no artifactory resources are defined in the configuration and therefore there's no need to initialize the provider.

[tomvmeer]

I understand, I see other providers solve this issue by only trying to create the connection to the external system during the apply stage of a specific resource (see for example This one). Given that resources with count=0 are not included in the apply, the issue presented here does not occur.

Is this something the Artifactory Terraform provider could implement too?

[alexhung]

@tomvmeer It is a conscious design decision and trade off. The other providers don't check for empty URL/token and makes API requests regardless whether they are set. This will generate authentication error during apply time.

In JFrog providers, we check the URL/token during provider initialization so that the unset/empty values is caught as soon as possible. This benefits most of our users as empty URL/token is very likely a mistake and unintended.

You may be interested in using OpenTofu instead. Looks like they are adding optional/conditional provider: https://github.com/opentofu/opentofu/releases/tag/v1.9.0 HashiCorp added similar concept but only to their HCP offering as Stacks.

[tomvmeer]

Thanks for the discussion @alexhung I will close this issue now!