2020-03-13 13:22:24 -05:00
package command
import (
command: Early error message for missing cache entries of locked providers
In the original incarnation of Meta.providerFactories we were returning
into a Meta.contextOpts whose signature didn't allow it to return an
error directly, and so we had compromised by making the provider factory
functions themselves return errors once called.
Subsequent work made Meta.contextOpts need to return an error anyway, but
at the time we neglected to update our handling of the providerFactories
result, having it still defer the error handling until we finally
instantiate a provider.
Although that did ultimately get the expected result anyway, the error
ended up being reported from deep in the guts of a Terraform Core graph
walk, in whichever concurrently-visited graph node happened to try to
instantiate the plugin first. This meant that the exact phrasing of the
error message would vary between runs and the reporting codepath didn't
have enough context to given an actionable suggestion on how to proceed.
In this commit we make Meta.contextOpts pass through directly any error
that Meta.providerFactories produces, and then make Meta.providerFactories
produce a special error type so that Meta.Backend can ultimately return
a user-friendly diagnostic message containing a specific suggestion to
run "terraform init", along with a short explanation of what a provider
plugin is.
The reliance here on an implied contract between two functions that are
not directly connected in the callstack is non-ideal, and so hopefully
we'll revisit this further in future work on the overall architecture of
the CLI layer. To try to make this robust in the meantime though, I wrote
it to use the errors.As function to potentially unwrap a wrapped version
of our special error type, in case one of the intervening layers is
changed at some point to wrap the downstream error before returning it.
2021-10-01 16:51:06 -05:00
"bytes"
2021-05-18 09:59:14 -05:00
"errors"
2020-03-30 17:30:56 -05:00
"fmt"
2020-10-14 20:00:23 -05:00
"log"
2020-03-30 17:30:56 -05:00
"os"
"os/exec"
2020-10-14 20:00:23 -05:00
"strings"
2020-03-13 13:22:24 -05:00
2020-03-30 17:30:56 -05:00
plugin "github.com/hashicorp/go-plugin"
2021-05-17 14:00:50 -05:00
"github.com/hashicorp/terraform/internal/addrs"
2021-05-17 10:55:57 -05:00
terraformProvider "github.com/hashicorp/terraform/internal/builtin/providers/terraform"
2020-03-13 13:22:24 -05:00
"github.com/hashicorp/terraform/internal/getproviders"
2020-10-17 08:57:03 -05:00
"github.com/hashicorp/terraform/internal/logging"
2021-02-08 18:03:15 -06:00
"github.com/hashicorp/terraform/internal/moduletest"
2021-05-17 14:35:22 -05:00
tfplugin "github.com/hashicorp/terraform/internal/plugin"
tfplugin6 "github.com/hashicorp/terraform/internal/plugin6"
2020-03-13 13:22:24 -05:00
"github.com/hashicorp/terraform/internal/providercache"
2021-05-17 12:40:40 -05:00
"github.com/hashicorp/terraform/internal/providers"
2021-05-17 12:11:06 -05:00
"github.com/hashicorp/terraform/internal/tfdiags"
2020-03-13 13:22:24 -05:00
)
2020-03-30 17:30:56 -05:00
// The TF_DISABLE_PLUGIN_TLS environment variable is intended only for use by
// the plugin SDK test framework, to reduce startup overhead when rapidly
// launching and killing lots of instances of the same provider.
//
// This is not intended to be set by end-users.
var enableProviderAutoMTLS = os . Getenv ( "TF_DISABLE_PLUGIN_TLS" ) == ""
// providerInstaller returns an object that knows how to install providers and
// how to recover the selections from a prior installation process.
//
// The resulting provider installer is constructed from the results of
// the other methods providerLocalCacheDir, providerGlobalCacheDir, and
// providerInstallSource.
//
// Only one object returned from this method should be live at any time,
// because objects inside contain caches that must be maintained properly.
// Because this method wraps a result from providerLocalCacheDir, that
// limitation applies also to results from that method.
func ( m * Meta ) providerInstaller ( ) * providercache . Installer {
return m . providerInstallerCustomSource ( m . providerInstallSource ( ) )
}
// providerInstallerCustomSource is a variant of providerInstaller that
// allows the caller to specify a different installation source than the one
// that would naturally be selected.
//
// The result of this method has the same dependencies and constraints as
// providerInstaller.
//
// The result of providerInstallerCustomSource differs from
// providerInstaller only in how it determines package installation locations
// during EnsureProviderVersions. A caller that doesn't call
// EnsureProviderVersions (anything other than "terraform init") can safely
// just use the providerInstaller method unconditionally.
func ( m * Meta ) providerInstallerCustomSource ( source getproviders . Source ) * providercache . Installer {
targetDir := m . providerLocalCacheDir ( )
globalCacheDir := m . providerGlobalCacheDir ( )
inst := providercache . NewInstaller ( targetDir , source )
if globalCacheDir != nil {
inst . SetGlobalCacheDir ( globalCacheDir )
}
2020-04-01 18:44:50 -05:00
var builtinProviderTypes [ ] string
for ty := range m . internalProviders ( ) {
builtinProviderTypes = append ( builtinProviderTypes , ty )
}
inst . SetBuiltInProviderTypes ( builtinProviderTypes )
command: Unmanaged providers
This adds supports for "unmanaged" providers, or providers with process
lifecycles not controlled by Terraform. These providers are assumed to
be started before Terraform is launched, and are assumed to shut
themselves down after Terraform has finished running.
To do this, we must update the go-plugin dependency to v1.3.0, which
added support for the "test mode" plugin serving that powers all this.
As a side-effect of not needing to manage the process lifecycle anymore,
Terraform also no longer needs to worry about the provider's binary, as
it won't be used for anything anymore. Because of this, we can disable
the init behavior that concerns itself with downloading that provider's
binary, checking its version, and otherwise managing the binary.
This is all managed on a per-provider basis, so managed providers that
Terraform downloads, starts, and stops can be used in the same commands
as unmanaged providers. The TF_REATTACH_PROVIDERS environment variable
is added, and is a JSON encoding of the provider's address to the
information we need to connect to it.
This change enables two benefits: first, delve and other debuggers can
now be attached to provider server processes, and Terraform can connect.
This allows for attaching debuggers to provider processes, which before
was difficult to impossible. Second, it allows the SDK test framework to
host the provider in the same process as the test driver, while running
a production Terraform binary against the provider. This allows for Go's
built-in race detector and test coverage tooling to work as expected in
provider tests.
Unmanaged providers are expected to work in the exact same way as
managed providers, with one caveat: Terraform kills provider processes
and restarts them once per graph walk, meaning multiple times during
most Terraform CLI commands. As unmanaged providers can't be killed by
Terraform, and have no visibility into graph walks, unmanaged providers
are likely to have differences in how their global mutable state behaves
when compared to managed providers. Namely, unmanaged providers are
likely to retain global state when managed providers would have reset
it. Developers relying on global state should be aware of this.
2020-05-26 19:48:57 -05:00
unmanagedProviderTypes := make ( map [ addrs . Provider ] struct { } , len ( m . UnmanagedProviders ) )
for ty := range m . UnmanagedProviders {
unmanagedProviderTypes [ ty ] = struct { } { }
}
inst . SetUnmanagedProviderTypes ( unmanagedProviderTypes )
2020-03-30 17:30:56 -05:00
return inst
}
2020-03-31 18:03:07 -05:00
// providerCustomLocalDirectorySource produces a provider source that consults
// only the given local filesystem directories for plugins to install.
//
// This is used to implement the -plugin-dir option for "terraform init", where
// the result of this method is used instead of what would've been returned
// from m.providerInstallSource.
//
// If the given list of directories is empty then the resulting source will
// have no providers available for installation at all.
func ( m * Meta ) providerCustomLocalDirectorySource ( dirs [ ] string ) getproviders . Source {
var ret getproviders . MultiSource
for _ , dir := range dirs {
ret = append ( ret , getproviders . MultiSourceSelector {
Source : getproviders . NewFilesystemMirrorSource ( dir ) ,
} )
}
return ret
}
2020-03-13 13:22:24 -05:00
// providerLocalCacheDir returns an object representing the
// configuration-specific local cache directory. This is the
// only location consulted for provider plugin packages for Terraform
// operations other than provider installation.
//
// Only the provider installer (in "terraform init") is permitted to make
// modifications to this cache directory. All other commands must treat it
// as read-only.
2020-03-30 17:30:56 -05:00
//
// Only one object returned from this method should be live at any time,
// because objects inside contain caches that must be maintained properly.
2020-03-13 13:22:24 -05:00
func ( m * Meta ) providerLocalCacheDir ( ) * providercache . Dir {
2021-09-01 19:01:44 -05:00
m . fixupMissingWorkingDir ( )
dir := m . WorkingDir . ProviderLocalCacheDir ( )
2020-03-13 13:22:24 -05:00
return providercache . NewDir ( dir )
}
// providerGlobalCacheDir returns an object representing the shared global
// provider cache directory, used as a read-through cache when installing
// new provider plugin packages.
//
// This function may return nil, in which case there is no global cache
// configured and new packages should be downloaded directly into individual
// configuration-specific cache directories.
2020-03-30 17:30:56 -05:00
//
// Only one object returned from this method should be live at any time,
// because objects inside contain caches that must be maintained properly.
2020-03-13 13:22:24 -05:00
func ( m * Meta ) providerGlobalCacheDir ( ) * providercache . Dir {
dir := m . PluginCacheDir
if dir == "" {
return nil // cache disabled
}
return providercache . NewDir ( dir )
}
// providerInstallSource returns an object that knows how to consult one or
// more external sources to determine the availability of and package
// locations for versions of Terraform providers that are available for
// automatic installation.
//
// This returns the standard provider install source that consults a number
// of directories selected either automatically or via the CLI configuration.
// Users may choose to override this during a "terraform init" command by
// specifying one or more -plugin-dir options, in which case the installation
// process will construct its own source consulting only those directories
// and use that instead.
func ( m * Meta ) providerInstallSource ( ) getproviders . Source {
// A provider source should always be provided in normal use, but our
// unit tests might not always populate Meta fully and so we'll be robust
// by returning a non-nil source that just always answers that no plugins
// are available.
if m . ProviderSource == nil {
// A multi-source with no underlying sources is effectively an
// always-empty source.
return getproviders . MultiSource ( nil )
}
return m . ProviderSource
}
2020-03-30 17:30:56 -05:00
2021-02-01 09:50:08 -06:00
// providerDevOverrideInitWarnings returns a diagnostics that contains at
// least one warning if and only if there is at least one provider development
// override in effect. If not, the result is always empty. The result never
// contains error diagnostics.
//
// The init command can use this to include a warning that the results
// may differ from what's expected due to the development overrides. For
// other commands, providerDevOverrideRuntimeWarnings should be used.
func ( m * Meta ) providerDevOverrideInitWarnings ( ) tfdiags . Diagnostics {
if len ( m . ProviderDevOverrides ) == 0 {
return nil
}
var detailMsg strings . Builder
detailMsg . WriteString ( "The following provider development overrides are set in the CLI configuration:\n" )
for addr , path := range m . ProviderDevOverrides {
detailMsg . WriteString ( fmt . Sprintf ( " - %s in %s\n" , addr . ForDisplay ( ) , path ) )
}
detailMsg . WriteString ( "\nSkip terraform init when using provider development overrides. It is not necessary and may error unexpectedly." )
return tfdiags . Diagnostics {
tfdiags . Sourceless (
tfdiags . Warning ,
"Provider development overrides are in effect" ,
detailMsg . String ( ) ,
) ,
}
}
// providerDevOverrideRuntimeWarnings returns a diagnostics that contains at
// least one warning if and only if there is at least one provider development
2020-10-14 20:00:23 -05:00
// override in effect. If not, the result is always empty. The result never
// contains error diagnostics.
//
// Certain commands can use this to include a warning that their results
// may differ from what's expected due to the development overrides. It's
// not necessary to bother the user with this warning on every command, but
// it's helpful to return it on commands that have externally-visible side
// effects and on commands that are used to verify conformance to schemas.
2021-02-01 09:50:08 -06:00
//
// See providerDevOverrideInitWarnings for warnings specific to the init
// command.
func ( m * Meta ) providerDevOverrideRuntimeWarnings ( ) tfdiags . Diagnostics {
2020-10-14 20:00:23 -05:00
if len ( m . ProviderDevOverrides ) == 0 {
return nil
}
var detailMsg strings . Builder
detailMsg . WriteString ( "The following provider development overrides are set in the CLI configuration:\n" )
for addr , path := range m . ProviderDevOverrides {
detailMsg . WriteString ( fmt . Sprintf ( " - %s in %s\n" , addr . ForDisplay ( ) , path ) )
}
detailMsg . WriteString ( "\nThe behavior may therefore not match any released version of the provider and applying changes may cause the state to become incompatible with published releases." )
return tfdiags . Diagnostics {
tfdiags . Sourceless (
tfdiags . Warning ,
"Provider development overrides are in effect" ,
detailMsg . String ( ) ,
) ,
}
}
2020-03-30 17:30:56 -05:00
// providerFactories uses the selections made previously by an installer in
// the local cache directory (m.providerLocalCacheDir) to produce a map
// from provider addresses to factory functions to create instances of
// those providers.
//
// providerFactories will return an error if the installer's selections cannot
// be honored with what is currently in the cache, such as if a selected
// package has been removed from the cache or if the contents of a selected
// package have been modified outside of the installer. If it returns an error,
2020-10-02 18:41:56 -05:00
// the returned map may be incomplete or invalid, but will be as complete
// as possible given the cause of the error.
2020-03-30 17:30:56 -05:00
func ( m * Meta ) providerFactories ( ) ( map [ addrs . Provider ] providers . Factory , error ) {
2020-10-02 18:41:56 -05:00
locks , diags := m . lockedDependencies ( )
if diags . HasErrors ( ) {
return nil , fmt . Errorf ( "failed to read dependency lock file: %s" , diags . Err ( ) )
2020-03-30 17:30:56 -05:00
}
2020-10-02 18:41:56 -05:00
// We'll always run through all of our providers, even if one of them
// encounters an error, so that we can potentially report multiple errors
// where appropriate and so that callers can potentially make use of the
// partial result we return if e.g. they want to enumerate which providers
// are available, or call into one of the providers that didn't fail.
command: Early error message for missing cache entries of locked providers
In the original incarnation of Meta.providerFactories we were returning
into a Meta.contextOpts whose signature didn't allow it to return an
error directly, and so we had compromised by making the provider factory
functions themselves return errors once called.
Subsequent work made Meta.contextOpts need to return an error anyway, but
at the time we neglected to update our handling of the providerFactories
result, having it still defer the error handling until we finally
instantiate a provider.
Although that did ultimately get the expected result anyway, the error
ended up being reported from deep in the guts of a Terraform Core graph
walk, in whichever concurrently-visited graph node happened to try to
instantiate the plugin first. This meant that the exact phrasing of the
error message would vary between runs and the reporting codepath didn't
have enough context to given an actionable suggestion on how to proceed.
In this commit we make Meta.contextOpts pass through directly any error
that Meta.providerFactories produces, and then make Meta.providerFactories
produce a special error type so that Meta.Backend can ultimately return
a user-friendly diagnostic message containing a specific suggestion to
run "terraform init", along with a short explanation of what a provider
plugin is.
The reliance here on an implied contract between two functions that are
not directly connected in the callstack is non-ideal, and so hopefully
we'll revisit this further in future work on the overall architecture of
the CLI layer. To try to make this robust in the meantime though, I wrote
it to use the errors.As function to potentially unwrap a wrapped version
of our special error type, in case one of the intervening layers is
changed at some point to wrap the downstream error before returning it.
2021-10-01 16:51:06 -05:00
errs := make ( map [ addrs . Provider ] error )
2020-10-02 18:41:56 -05:00
// For the providers from the lock file, we expect them to be already
// available in the provider cache because "terraform init" should already
// have put them there.
providerLocks := locks . AllProviders ( )
cacheDir := m . providerLocalCacheDir ( )
2020-03-30 17:30:56 -05:00
// The internal providers are _always_ available, even if the configuration
// doesn't request them, because they don't need any special installation
// and they'll just be ignored if not used.
internalFactories := m . internalProviders ( )
2020-10-14 20:00:23 -05:00
// We have two different special cases aimed at provider development
// use-cases, which are not for "production" use:
// - The CLI config can specify that a particular provider should always
// use a plugin from a particular local directory, ignoring anything the
// lock file or cache directory might have to say about it. This is useful
// for manual testing of local development builds.
// - The Terraform SDK test harness (and possibly other callers in future)
2020-10-02 18:41:56 -05:00
// can ask that we use its own already-started provider servers, which we
// call "unmanaged" because Terraform isn't responsible for starting
2020-10-14 20:00:23 -05:00
// and stopping them. This is intended for automated testing where a
// calling harness is responsible both for starting the provider server
// and orchestrating one or more non-interactive Terraform runs that then
// exercise it.
// Unmanaged providers take precedence over overridden providers because
// overrides are typically a "session-level" setting while unmanaged
// providers are typically scoped to a single unattended command.
devOverrideProviders := m . ProviderDevOverrides
2020-10-02 18:41:56 -05:00
unmanagedProviders := m . UnmanagedProviders
factories := make ( map [ addrs . Provider ] providers . Factory , len ( providerLocks ) + len ( internalFactories ) + len ( unmanagedProviders ) )
2020-03-30 17:30:56 -05:00
for name , factory := range internalFactories {
factories [ addrs . NewBuiltInProvider ( name ) ] = factory
}
2020-10-02 18:41:56 -05:00
for provider , lock := range providerLocks {
reportError := func ( thisErr error ) {
command: Early error message for missing cache entries of locked providers
In the original incarnation of Meta.providerFactories we were returning
into a Meta.contextOpts whose signature didn't allow it to return an
error directly, and so we had compromised by making the provider factory
functions themselves return errors once called.
Subsequent work made Meta.contextOpts need to return an error anyway, but
at the time we neglected to update our handling of the providerFactories
result, having it still defer the error handling until we finally
instantiate a provider.
Although that did ultimately get the expected result anyway, the error
ended up being reported from deep in the guts of a Terraform Core graph
walk, in whichever concurrently-visited graph node happened to try to
instantiate the plugin first. This meant that the exact phrasing of the
error message would vary between runs and the reporting codepath didn't
have enough context to given an actionable suggestion on how to proceed.
In this commit we make Meta.contextOpts pass through directly any error
that Meta.providerFactories produces, and then make Meta.providerFactories
produce a special error type so that Meta.Backend can ultimately return
a user-friendly diagnostic message containing a specific suggestion to
run "terraform init", along with a short explanation of what a provider
plugin is.
The reliance here on an implied contract between two functions that are
not directly connected in the callstack is non-ideal, and so hopefully
we'll revisit this further in future work on the overall architecture of
the CLI layer. To try to make this robust in the meantime though, I wrote
it to use the errors.As function to potentially unwrap a wrapped version
of our special error type, in case one of the intervening layers is
changed at some point to wrap the downstream error before returning it.
2021-10-01 16:51:06 -05:00
errs [ provider ] = thisErr
2020-10-02 18:41:56 -05:00
// We'll populate a provider factory that just echoes our error
// again if called, which allows us to still report a helpful
// error even if it gets detected downstream somewhere from the
// caller using our partial result.
factories [ provider ] = providerFactoryError ( thisErr )
}
backend/local: Check dependency lock consistency before any operations
In historical versions of Terraform the responsibility to check this was
inside the terraform.NewContext function, along with various other
assorted concerns that made that function particularly complicated.
More recently, we reduced the responsibility of the "terraform" package
only to instantiating particular named plugins, assuming that its caller
is responsible for selecting appropriate versions of any providers that
_are_ external. However, until this commit we were just assuming that
"terraform init" had correctly selected appropriate plugins and recorded
them in the lock file, and so nothing was dealing with the problem of
ensuring that there haven't been any changes to the lock file or config
since the most recent "terraform init" which would cause us to need to
re-evaluate those decisions.
Part of the game here is to slightly extend the role of the dependency
locks object to also carry information about a subset of provider
addresses whose lock entries we're intentionally disregarding as part of
the various little edge-case features we have for overridding providers:
dev_overrides, "unmanaged providers", and the testing overrides in our
own unit tests. This is an in-memory-only annotation, never included in
the serialized plan files on disk.
I had originally intended to create a new package to encapsulate all of
this plugin-selection logic, including both the version constraint
checking here and also the handling of the provider factory functions, but
as an interim step I've just made version constraint consistency checks
the responsibility of the backend/local package, which means that we'll
always catch problems as part of preparing for local operations, while
not imposing these additional checks on commands that _don't_ run local
operations, such as "terraform apply" when in remote operations mode.
2021-09-29 19:31:43 -05:00
if locks . ProviderIsOverridden ( provider ) {
// Overridden providers we'll handle with the other separate
// loops below, for dev overrides etc.
continue
}
2020-10-02 18:41:56 -05:00
version := lock . Version ( )
cached := cacheDir . ProviderVersion ( provider , version )
if cached == nil {
reportError ( fmt . Errorf (
"there is no package for %s %s cached in %s" ,
provider , version , cacheDir . BasePath ( ) ,
) )
continue
}
// The cached package must match one of the checksums recorded in
// the lock file, if any.
if allowedHashes := lock . PreferredHashes ( ) ; len ( allowedHashes ) != 0 {
matched , err := cached . MatchesAnyHash ( allowedHashes )
if err != nil {
reportError ( fmt . Errorf (
"failed to verify checksum of %s %s package cached in in %s: %s" ,
provider , version , cacheDir . BasePath ( ) , err ,
) )
continue
}
if ! matched {
reportError ( fmt . Errorf (
"the cached package for %s %s (in %s) does not match any of the checksums recorded in the dependency lock file" ,
provider , version , cacheDir . BasePath ( ) ,
) )
continue
}
}
2020-03-30 17:30:56 -05:00
factories [ provider ] = providerFactory ( cached )
}
2020-10-14 20:00:23 -05:00
for provider , localDir := range devOverrideProviders {
factories [ provider ] = devOverrideProviderFactory ( provider , localDir )
}
2020-10-02 18:41:56 -05:00
for provider , reattach := range unmanagedProviders {
factories [ provider ] = unmanagedProviderFactory ( provider , reattach )
}
command: Early error message for missing cache entries of locked providers
In the original incarnation of Meta.providerFactories we were returning
into a Meta.contextOpts whose signature didn't allow it to return an
error directly, and so we had compromised by making the provider factory
functions themselves return errors once called.
Subsequent work made Meta.contextOpts need to return an error anyway, but
at the time we neglected to update our handling of the providerFactories
result, having it still defer the error handling until we finally
instantiate a provider.
Although that did ultimately get the expected result anyway, the error
ended up being reported from deep in the guts of a Terraform Core graph
walk, in whichever concurrently-visited graph node happened to try to
instantiate the plugin first. This meant that the exact phrasing of the
error message would vary between runs and the reporting codepath didn't
have enough context to given an actionable suggestion on how to proceed.
In this commit we make Meta.contextOpts pass through directly any error
that Meta.providerFactories produces, and then make Meta.providerFactories
produce a special error type so that Meta.Backend can ultimately return
a user-friendly diagnostic message containing a specific suggestion to
run "terraform init", along with a short explanation of what a provider
plugin is.
The reliance here on an implied contract between two functions that are
not directly connected in the callstack is non-ideal, and so hopefully
we'll revisit this further in future work on the overall architecture of
the CLI layer. To try to make this robust in the meantime though, I wrote
it to use the errors.As function to potentially unwrap a wrapped version
of our special error type, in case one of the intervening layers is
changed at some point to wrap the downstream error before returning it.
2021-10-01 16:51:06 -05:00
var err error
if len ( errs ) > 0 {
err = providerPluginErrors ( errs )
}
2020-10-02 18:41:56 -05:00
return factories , err
2020-03-30 17:30:56 -05:00
}
func ( m * Meta ) internalProviders ( ) map [ string ] providers . Factory {
return map [ string ] providers . Factory {
"terraform" : func ( ) ( providers . Interface , error ) {
return terraformProvider . NewProvider ( ) , nil
} ,
2021-02-08 18:03:15 -06:00
"test" : func ( ) ( providers . Interface , error ) {
return moduletest . NewProvider ( ) , nil
} ,
2020-03-30 17:30:56 -05:00
}
}
// providerFactory produces a provider factory that runs up the executable
// file in the given cache package and uses go-plugin to implement
// providers.Interface against it.
func providerFactory ( meta * providercache . CachedProvider ) providers . Factory {
return func ( ) ( providers . Interface , error ) {
2020-07-07 13:36:04 -05:00
execFile , err := meta . ExecutableFile ( )
if err != nil {
return nil , err
}
2020-03-30 17:30:56 -05:00
config := & plugin . ClientConfig {
HandshakeConfig : tfplugin . Handshake ,
2020-10-22 14:32:13 -05:00
Logger : logging . NewProviderLogger ( "" ) ,
2020-03-30 17:30:56 -05:00
AllowedProtocols : [ ] plugin . Protocol { plugin . ProtocolGRPC } ,
command: Unmanaged providers
This adds supports for "unmanaged" providers, or providers with process
lifecycles not controlled by Terraform. These providers are assumed to
be started before Terraform is launched, and are assumed to shut
themselves down after Terraform has finished running.
To do this, we must update the go-plugin dependency to v1.3.0, which
added support for the "test mode" plugin serving that powers all this.
As a side-effect of not needing to manage the process lifecycle anymore,
Terraform also no longer needs to worry about the provider's binary, as
it won't be used for anything anymore. Because of this, we can disable
the init behavior that concerns itself with downloading that provider's
binary, checking its version, and otherwise managing the binary.
This is all managed on a per-provider basis, so managed providers that
Terraform downloads, starts, and stops can be used in the same commands
as unmanaged providers. The TF_REATTACH_PROVIDERS environment variable
is added, and is a JSON encoding of the provider's address to the
information we need to connect to it.
This change enables two benefits: first, delve and other debuggers can
now be attached to provider server processes, and Terraform can connect.
This allows for attaching debuggers to provider processes, which before
was difficult to impossible. Second, it allows the SDK test framework to
host the provider in the same process as the test driver, while running
a production Terraform binary against the provider. This allows for Go's
built-in race detector and test coverage tooling to work as expected in
provider tests.
Unmanaged providers are expected to work in the exact same way as
managed providers, with one caveat: Terraform kills provider processes
and restarts them once per graph walk, meaning multiple times during
most Terraform CLI commands. As unmanaged providers can't be killed by
Terraform, and have no visibility into graph walks, unmanaged providers
are likely to have differences in how their global mutable state behaves
when compared to managed providers. Namely, unmanaged providers are
likely to retain global state when managed providers would have reset
it. Developers relying on global state should be aware of this.
2020-05-26 19:48:57 -05:00
Managed : true ,
2020-07-07 13:36:04 -05:00
Cmd : exec . Command ( execFile ) ,
2020-03-30 17:30:56 -05:00
AutoMTLS : enableProviderAutoMTLS ,
command: Unmanaged providers
This adds supports for "unmanaged" providers, or providers with process
lifecycles not controlled by Terraform. These providers are assumed to
be started before Terraform is launched, and are assumed to shut
themselves down after Terraform has finished running.
To do this, we must update the go-plugin dependency to v1.3.0, which
added support for the "test mode" plugin serving that powers all this.
As a side-effect of not needing to manage the process lifecycle anymore,
Terraform also no longer needs to worry about the provider's binary, as
it won't be used for anything anymore. Because of this, we can disable
the init behavior that concerns itself with downloading that provider's
binary, checking its version, and otherwise managing the binary.
This is all managed on a per-provider basis, so managed providers that
Terraform downloads, starts, and stops can be used in the same commands
as unmanaged providers. The TF_REATTACH_PROVIDERS environment variable
is added, and is a JSON encoding of the provider's address to the
information we need to connect to it.
This change enables two benefits: first, delve and other debuggers can
now be attached to provider server processes, and Terraform can connect.
This allows for attaching debuggers to provider processes, which before
was difficult to impossible. Second, it allows the SDK test framework to
host the provider in the same process as the test driver, while running
a production Terraform binary against the provider. This allows for Go's
built-in race detector and test coverage tooling to work as expected in
provider tests.
Unmanaged providers are expected to work in the exact same way as
managed providers, with one caveat: Terraform kills provider processes
and restarts them once per graph walk, meaning multiple times during
most Terraform CLI commands. As unmanaged providers can't be killed by
Terraform, and have no visibility into graph walks, unmanaged providers
are likely to have differences in how their global mutable state behaves
when compared to managed providers. Namely, unmanaged providers are
likely to retain global state when managed providers would have reset
it. Developers relying on global state should be aware of this.
2020-05-26 19:48:57 -05:00
VersionedPlugins : tfplugin . VersionedPlugins ,
2021-05-13 14:59:51 -05:00
SyncStdout : logging . PluginOutputMonitor ( fmt . Sprintf ( "%s:stdout" , meta . Provider ) ) ,
SyncStderr : logging . PluginOutputMonitor ( fmt . Sprintf ( "%s:stderr" , meta . Provider ) ) ,
2020-03-30 17:30:56 -05:00
}
command: Unmanaged providers
This adds supports for "unmanaged" providers, or providers with process
lifecycles not controlled by Terraform. These providers are assumed to
be started before Terraform is launched, and are assumed to shut
themselves down after Terraform has finished running.
To do this, we must update the go-plugin dependency to v1.3.0, which
added support for the "test mode" plugin serving that powers all this.
As a side-effect of not needing to manage the process lifecycle anymore,
Terraform also no longer needs to worry about the provider's binary, as
it won't be used for anything anymore. Because of this, we can disable
the init behavior that concerns itself with downloading that provider's
binary, checking its version, and otherwise managing the binary.
This is all managed on a per-provider basis, so managed providers that
Terraform downloads, starts, and stops can be used in the same commands
as unmanaged providers. The TF_REATTACH_PROVIDERS environment variable
is added, and is a JSON encoding of the provider's address to the
information we need to connect to it.
This change enables two benefits: first, delve and other debuggers can
now be attached to provider server processes, and Terraform can connect.
This allows for attaching debuggers to provider processes, which before
was difficult to impossible. Second, it allows the SDK test framework to
host the provider in the same process as the test driver, while running
a production Terraform binary against the provider. This allows for Go's
built-in race detector and test coverage tooling to work as expected in
provider tests.
Unmanaged providers are expected to work in the exact same way as
managed providers, with one caveat: Terraform kills provider processes
and restarts them once per graph walk, meaning multiple times during
most Terraform CLI commands. As unmanaged providers can't be killed by
Terraform, and have no visibility into graph walks, unmanaged providers
are likely to have differences in how their global mutable state behaves
when compared to managed providers. Namely, unmanaged providers are
likely to retain global state when managed providers would have reset
it. Developers relying on global state should be aware of this.
2020-05-26 19:48:57 -05:00
2020-03-30 17:30:56 -05:00
client := plugin . NewClient ( config )
rpcClient , err := client . Client ( )
if err != nil {
return nil , err
}
raw , err := rpcClient . Dispense ( tfplugin . ProviderPluginName )
if err != nil {
return nil , err
}
// store the client so that the plugin can kill the child process
2021-02-22 09:22:45 -06:00
protoVer := client . NegotiatedVersion ( )
switch protoVer {
case 5 :
p := raw . ( * tfplugin . GRPCProvider )
p . PluginClient = client
return p , nil
case 6 :
p := raw . ( * tfplugin6 . GRPCProvider )
p . PluginClient = client
return p , nil
default :
panic ( "unsupported protocol version" )
}
command: Unmanaged providers
This adds supports for "unmanaged" providers, or providers with process
lifecycles not controlled by Terraform. These providers are assumed to
be started before Terraform is launched, and are assumed to shut
themselves down after Terraform has finished running.
To do this, we must update the go-plugin dependency to v1.3.0, which
added support for the "test mode" plugin serving that powers all this.
As a side-effect of not needing to manage the process lifecycle anymore,
Terraform also no longer needs to worry about the provider's binary, as
it won't be used for anything anymore. Because of this, we can disable
the init behavior that concerns itself with downloading that provider's
binary, checking its version, and otherwise managing the binary.
This is all managed on a per-provider basis, so managed providers that
Terraform downloads, starts, and stops can be used in the same commands
as unmanaged providers. The TF_REATTACH_PROVIDERS environment variable
is added, and is a JSON encoding of the provider's address to the
information we need to connect to it.
This change enables two benefits: first, delve and other debuggers can
now be attached to provider server processes, and Terraform can connect.
This allows for attaching debuggers to provider processes, which before
was difficult to impossible. Second, it allows the SDK test framework to
host the provider in the same process as the test driver, while running
a production Terraform binary against the provider. This allows for Go's
built-in race detector and test coverage tooling to work as expected in
provider tests.
Unmanaged providers are expected to work in the exact same way as
managed providers, with one caveat: Terraform kills provider processes
and restarts them once per graph walk, meaning multiple times during
most Terraform CLI commands. As unmanaged providers can't be killed by
Terraform, and have no visibility into graph walks, unmanaged providers
are likely to have differences in how their global mutable state behaves
when compared to managed providers. Namely, unmanaged providers are
likely to retain global state when managed providers would have reset
it. Developers relying on global state should be aware of this.
2020-05-26 19:48:57 -05:00
}
}
2020-10-14 20:00:23 -05:00
func devOverrideProviderFactory ( provider addrs . Provider , localDir getproviders . PackageLocalDir ) providers . Factory {
// A dev override is essentially a synthetic cache entry for our purposes
// here, so that's how we'll construct it. The providerFactory function
// doesn't actually care about the version, so we can leave it
// unspecified: overridden providers are not explicitly versioned.
log . Printf ( "[DEBUG] Provider %s is overridden to load from %s" , provider , localDir )
return providerFactory ( & providercache . CachedProvider {
Provider : provider ,
Version : getproviders . UnspecifiedVersion ,
PackageDir : string ( localDir ) ,
} )
}
command: Unmanaged providers
This adds supports for "unmanaged" providers, or providers with process
lifecycles not controlled by Terraform. These providers are assumed to
be started before Terraform is launched, and are assumed to shut
themselves down after Terraform has finished running.
To do this, we must update the go-plugin dependency to v1.3.0, which
added support for the "test mode" plugin serving that powers all this.
As a side-effect of not needing to manage the process lifecycle anymore,
Terraform also no longer needs to worry about the provider's binary, as
it won't be used for anything anymore. Because of this, we can disable
the init behavior that concerns itself with downloading that provider's
binary, checking its version, and otherwise managing the binary.
This is all managed on a per-provider basis, so managed providers that
Terraform downloads, starts, and stops can be used in the same commands
as unmanaged providers. The TF_REATTACH_PROVIDERS environment variable
is added, and is a JSON encoding of the provider's address to the
information we need to connect to it.
This change enables two benefits: first, delve and other debuggers can
now be attached to provider server processes, and Terraform can connect.
This allows for attaching debuggers to provider processes, which before
was difficult to impossible. Second, it allows the SDK test framework to
host the provider in the same process as the test driver, while running
a production Terraform binary against the provider. This allows for Go's
built-in race detector and test coverage tooling to work as expected in
provider tests.
Unmanaged providers are expected to work in the exact same way as
managed providers, with one caveat: Terraform kills provider processes
and restarts them once per graph walk, meaning multiple times during
most Terraform CLI commands. As unmanaged providers can't be killed by
Terraform, and have no visibility into graph walks, unmanaged providers
are likely to have differences in how their global mutable state behaves
when compared to managed providers. Namely, unmanaged providers are
likely to retain global state when managed providers would have reset
it. Developers relying on global state should be aware of this.
2020-05-26 19:48:57 -05:00
// unmanagedProviderFactory produces a provider factory that uses the passed
// reattach information to connect to go-plugin processes that are already
// running, and implements providers.Interface against it.
func unmanagedProviderFactory ( provider addrs . Provider , reattach * plugin . ReattachConfig ) providers . Factory {
return func ( ) ( providers . Interface , error ) {
config := & plugin . ClientConfig {
HandshakeConfig : tfplugin . Handshake ,
2020-10-22 14:32:13 -05:00
Logger : logging . NewProviderLogger ( "unmanaged." ) ,
command: Unmanaged providers
This adds supports for "unmanaged" providers, or providers with process
lifecycles not controlled by Terraform. These providers are assumed to
be started before Terraform is launched, and are assumed to shut
themselves down after Terraform has finished running.
To do this, we must update the go-plugin dependency to v1.3.0, which
added support for the "test mode" plugin serving that powers all this.
As a side-effect of not needing to manage the process lifecycle anymore,
Terraform also no longer needs to worry about the provider's binary, as
it won't be used for anything anymore. Because of this, we can disable
the init behavior that concerns itself with downloading that provider's
binary, checking its version, and otherwise managing the binary.
This is all managed on a per-provider basis, so managed providers that
Terraform downloads, starts, and stops can be used in the same commands
as unmanaged providers. The TF_REATTACH_PROVIDERS environment variable
is added, and is a JSON encoding of the provider's address to the
information we need to connect to it.
This change enables two benefits: first, delve and other debuggers can
now be attached to provider server processes, and Terraform can connect.
This allows for attaching debuggers to provider processes, which before
was difficult to impossible. Second, it allows the SDK test framework to
host the provider in the same process as the test driver, while running
a production Terraform binary against the provider. This allows for Go's
built-in race detector and test coverage tooling to work as expected in
provider tests.
Unmanaged providers are expected to work in the exact same way as
managed providers, with one caveat: Terraform kills provider processes
and restarts them once per graph walk, meaning multiple times during
most Terraform CLI commands. As unmanaged providers can't be killed by
Terraform, and have no visibility into graph walks, unmanaged providers
are likely to have differences in how their global mutable state behaves
when compared to managed providers. Namely, unmanaged providers are
likely to retain global state when managed providers would have reset
it. Developers relying on global state should be aware of this.
2020-05-26 19:48:57 -05:00
AllowedProtocols : [ ] plugin . Protocol { plugin . ProtocolGRPC } ,
Managed : false ,
Reattach : reattach ,
2021-05-13 14:59:51 -05:00
SyncStdout : logging . PluginOutputMonitor ( fmt . Sprintf ( "%s:stdout" , provider ) ) ,
SyncStderr : logging . PluginOutputMonitor ( fmt . Sprintf ( "%s:stderr" , provider ) ) ,
command: Unmanaged providers
This adds supports for "unmanaged" providers, or providers with process
lifecycles not controlled by Terraform. These providers are assumed to
be started before Terraform is launched, and are assumed to shut
themselves down after Terraform has finished running.
To do this, we must update the go-plugin dependency to v1.3.0, which
added support for the "test mode" plugin serving that powers all this.
As a side-effect of not needing to manage the process lifecycle anymore,
Terraform also no longer needs to worry about the provider's binary, as
it won't be used for anything anymore. Because of this, we can disable
the init behavior that concerns itself with downloading that provider's
binary, checking its version, and otherwise managing the binary.
This is all managed on a per-provider basis, so managed providers that
Terraform downloads, starts, and stops can be used in the same commands
as unmanaged providers. The TF_REATTACH_PROVIDERS environment variable
is added, and is a JSON encoding of the provider's address to the
information we need to connect to it.
This change enables two benefits: first, delve and other debuggers can
now be attached to provider server processes, and Terraform can connect.
This allows for attaching debuggers to provider processes, which before
was difficult to impossible. Second, it allows the SDK test framework to
host the provider in the same process as the test driver, while running
a production Terraform binary against the provider. This allows for Go's
built-in race detector and test coverage tooling to work as expected in
provider tests.
Unmanaged providers are expected to work in the exact same way as
managed providers, with one caveat: Terraform kills provider processes
and restarts them once per graph walk, meaning multiple times during
most Terraform CLI commands. As unmanaged providers can't be killed by
Terraform, and have no visibility into graph walks, unmanaged providers
are likely to have differences in how their global mutable state behaves
when compared to managed providers. Namely, unmanaged providers are
likely to retain global state when managed providers would have reset
it. Developers relying on global state should be aware of this.
2020-05-26 19:48:57 -05:00
}
2021-05-18 09:59:14 -05:00
if reattach . ProtocolVersion == 0 {
// As of the 0.15 release, sdk.v2 doesn't include the protocol
// version in the ReattachConfig (only recently added to
// go-plugin), so client.NegotiatedVersion() always returns 0. We
// assume that an unmanaged provider reporting protocol version 0 is
// actually using proto v5 for backwards compatibility.
if defaultPlugins , ok := tfplugin . VersionedPlugins [ 5 ] ; ok {
config . Plugins = defaultPlugins
} else {
return nil , errors . New ( "no supported plugins for protocol 0" )
}
} else if plugins , ok := tfplugin . VersionedPlugins [ reattach . ProtocolVersion ] ; ! ok {
return nil , fmt . Errorf ( "no supported plugins for protocol %d" , reattach . ProtocolVersion )
command: Unmanaged providers
This adds supports for "unmanaged" providers, or providers with process
lifecycles not controlled by Terraform. These providers are assumed to
be started before Terraform is launched, and are assumed to shut
themselves down after Terraform has finished running.
To do this, we must update the go-plugin dependency to v1.3.0, which
added support for the "test mode" plugin serving that powers all this.
As a side-effect of not needing to manage the process lifecycle anymore,
Terraform also no longer needs to worry about the provider's binary, as
it won't be used for anything anymore. Because of this, we can disable
the init behavior that concerns itself with downloading that provider's
binary, checking its version, and otherwise managing the binary.
This is all managed on a per-provider basis, so managed providers that
Terraform downloads, starts, and stops can be used in the same commands
as unmanaged providers. The TF_REATTACH_PROVIDERS environment variable
is added, and is a JSON encoding of the provider's address to the
information we need to connect to it.
This change enables two benefits: first, delve and other debuggers can
now be attached to provider server processes, and Terraform can connect.
This allows for attaching debuggers to provider processes, which before
was difficult to impossible. Second, it allows the SDK test framework to
host the provider in the same process as the test driver, while running
a production Terraform binary against the provider. This allows for Go's
built-in race detector and test coverage tooling to work as expected in
provider tests.
Unmanaged providers are expected to work in the exact same way as
managed providers, with one caveat: Terraform kills provider processes
and restarts them once per graph walk, meaning multiple times during
most Terraform CLI commands. As unmanaged providers can't be killed by
Terraform, and have no visibility into graph walks, unmanaged providers
are likely to have differences in how their global mutable state behaves
when compared to managed providers. Namely, unmanaged providers are
likely to retain global state when managed providers would have reset
it. Developers relying on global state should be aware of this.
2020-05-26 19:48:57 -05:00
} else {
config . Plugins = plugins
}
client := plugin . NewClient ( config )
rpcClient , err := client . Client ( )
if err != nil {
return nil , err
}
raw , err := rpcClient . Dispense ( tfplugin . ProviderPluginName )
if err != nil {
return nil , err
}
2021-05-18 09:59:14 -05:00
// store the client so that the plugin can kill the child process
protoVer := client . NegotiatedVersion ( )
switch protoVer {
case 0 , 5 :
// As of the 0.15 release, sdk.v2 doesn't include the protocol
// version in the ReattachConfig (only recently added to
// go-plugin), so client.NegotiatedVersion() always returns 0. We
// assume that an unmanaged provider reporting protocol version 0 is
// actually using proto v5 for backwards compatibility.
p := raw . ( * tfplugin . GRPCProvider )
p . PluginClient = client
return p , nil
case 6 :
p := raw . ( * tfplugin6 . GRPCProvider )
p . PluginClient = client
return p , nil
default :
return nil , fmt . Errorf ( "unsupported protocol version %d" , protoVer )
}
2020-03-30 17:30:56 -05:00
}
}
2020-10-02 18:41:56 -05:00
// providerFactoryError is a stub providers.Factory that returns an error
// when called. It's used to allow providerFactories to still produce a
// factory for each available provider in an error case, for situations
// where the caller can do something useful with that partial result.
func providerFactoryError ( err error ) providers . Factory {
return func ( ) ( providers . Interface , error ) {
return nil , err
}
}
command: Early error message for missing cache entries of locked providers
In the original incarnation of Meta.providerFactories we were returning
into a Meta.contextOpts whose signature didn't allow it to return an
error directly, and so we had compromised by making the provider factory
functions themselves return errors once called.
Subsequent work made Meta.contextOpts need to return an error anyway, but
at the time we neglected to update our handling of the providerFactories
result, having it still defer the error handling until we finally
instantiate a provider.
Although that did ultimately get the expected result anyway, the error
ended up being reported from deep in the guts of a Terraform Core graph
walk, in whichever concurrently-visited graph node happened to try to
instantiate the plugin first. This meant that the exact phrasing of the
error message would vary between runs and the reporting codepath didn't
have enough context to given an actionable suggestion on how to proceed.
In this commit we make Meta.contextOpts pass through directly any error
that Meta.providerFactories produces, and then make Meta.providerFactories
produce a special error type so that Meta.Backend can ultimately return
a user-friendly diagnostic message containing a specific suggestion to
run "terraform init", along with a short explanation of what a provider
plugin is.
The reliance here on an implied contract between two functions that are
not directly connected in the callstack is non-ideal, and so hopefully
we'll revisit this further in future work on the overall architecture of
the CLI layer. To try to make this robust in the meantime though, I wrote
it to use the errors.As function to potentially unwrap a wrapped version
of our special error type, in case one of the intervening layers is
changed at some point to wrap the downstream error before returning it.
2021-10-01 16:51:06 -05:00
// providerPluginErrors is an error implementation we can return from
// Meta.providerFactories to capture potentially multiple errors about the
// locally-cached plugins (or lack thereof) for particular external providers.
//
// Some functions closer to the UI layer can sniff for this error type in order
// to return a more helpful error message.
type providerPluginErrors map [ addrs . Provider ] error
func ( errs providerPluginErrors ) Error ( ) string {
if len ( errs ) == 1 {
for addr , err := range errs {
return fmt . Sprintf ( "%s: %s" , addr , err )
}
}
var buf bytes . Buffer
fmt . Fprintf ( & buf , "missing or corrupted provider plugins:" )
for addr , err := range errs {
fmt . Fprintf ( & buf , "\n - %s: %s" , addr , err )
}
return buf . String ( )
}