Add ephemeral complement

[tcldr]

Terraform CLI and Provider Versions

Terraform 1.11.2
http v3.4.5

Use Cases or Problem Statement

Some services require the generation of one-time tokens that can be automated via the http data source. For example, the OpenStack provider accepts a token input:

provider "openstack" {
  ...
  user_id = jsondecode(data.http.token.response_body).token.user.id
  token = data.http.token.response_headers["X-Subject-Token"]
}

However, this retains the http's data source output in the Terraform state file.

Proposal

It would be great if we could expose an ephemeral http complement to the http data source that would keep credentials generated via this mechanism secure.

How much impact is this issue causing?

High

Additional Information

No response

Code of Conduct

• I agree to follow this project's Code of Conduct

[austinvalle]

Hey there @tcldr 👋🏻 ,

We chatted about this during our triage meeting and we'd be open to accepting a contribution (not specifically from you, but anyone that may happen across this issue 😅 ) that adds an ephemeral http resource type. I imagine the implementation should be very similar to the http data source that already exists 👍🏻

[danilobuerger]

Hi @austinvalle I have implemented this in my custom provider and want to upstream it here. Any preference on where the shared logic between the data source and ephemeral resource should live? Everything in Read is exactly the same in Open except one line.

[austinvalle]

Hi @danilobuerger 👋🏻, if you're not planning on adding tests for just the shared logic (which I think it's fine if we just test everything through terraform-plugin-testing), I'd just put it in a shared function in the internal/provider package. If you do want to test just the shared logic, you could bump it into it's own package in internal.

Since it's just two things consuming the shared logic, internal private function feels sufficient to me 👍🏻

[danilobuerger]

Thanks @austinvalle , I added the PR. Do you have time to check it?