2018-10-31 10:45:03 -05:00
package remote
import (
"context"
"fmt"
"log"
"net/http"
"net/url"
"os"
"sort"
"strings"
"sync"
2019-03-06 06:36:06 -06:00
"time"
2018-10-31 10:45:03 -05:00
tfe "github.com/hashicorp/go-tfe"
2018-12-14 12:31:42 -06:00
version "github.com/hashicorp/go-version"
2020-02-05 10:48:10 -06:00
svchost "github.com/hashicorp/terraform-svchost"
2019-10-11 04:34:26 -05:00
"github.com/hashicorp/terraform-svchost/disco"
2021-05-17 10:42:17 -05:00
"github.com/hashicorp/terraform/internal/backend"
2021-05-17 14:17:09 -05:00
"github.com/hashicorp/terraform/internal/configs/configschema"
2021-10-27 15:33:35 -05:00
"github.com/hashicorp/terraform/internal/logging"
2021-05-17 14:43:35 -05:00
"github.com/hashicorp/terraform/internal/states/remote"
"github.com/hashicorp/terraform/internal/states/statemgr"
2021-05-17 14:46:19 -05:00
"github.com/hashicorp/terraform/internal/terraform"
2021-05-17 12:11:06 -05:00
"github.com/hashicorp/terraform/internal/tfdiags"
2018-12-14 12:31:42 -06:00
tfversion "github.com/hashicorp/terraform/version"
2018-10-31 10:45:03 -05:00
"github.com/mitchellh/cli"
"github.com/mitchellh/colorstring"
"github.com/zclconf/go-cty/cty"
2018-11-15 13:26:46 -06:00
2021-05-17 10:42:17 -05:00
backendLocal "github.com/hashicorp/terraform/internal/backend/local"
2018-10-31 10:45:03 -05:00
)
const (
defaultHostname = "app.terraform.io"
defaultParallelism = 10
2019-02-18 09:01:06 -06:00
stateServiceID = "state.v2"
2018-12-13 16:12:36 -06:00
tfeServiceID = "tfe.v2.1"
2018-10-31 10:45:03 -05:00
)
// Remote is an implementation of EnhancedBackend that performs all
// operations in a remote backend.
type Remote struct {
// CLI and Colorize control the CLI output. If CLI is nil then no CLI
// output will be done. If CLIColor is nil then no coloring will be done.
CLI cli . Ui
CLIColor * colorstring . Colorize
// ContextOpts are the base context options to set when initializing a
// new Terraform context. Many of these will be overridden or merged by
// Operation. See Operation for more details.
ContextOpts * terraform . ContextOpts
2018-11-15 13:26:46 -06:00
// client is the remote backend API client.
2018-10-31 10:45:03 -05:00
client * tfe . Client
2019-03-06 06:36:06 -06:00
// lastRetry is set to the last time a request was retried.
lastRetry time . Time
2018-11-15 13:26:46 -06:00
// hostname of the remote backend server.
2018-10-31 10:45:03 -05:00
hostname string
2018-11-15 13:26:46 -06:00
// organization is the organization that contains the target workspaces.
2018-10-31 10:45:03 -05:00
organization string
2018-11-15 13:26:46 -06:00
// workspace is used to map the default workspace to a remote workspace.
2018-10-31 10:45:03 -05:00
workspace string
2018-11-30 12:31:58 -06:00
// prefix is used to filter down a set of workspaces that use a single
// configuration.
2018-10-31 10:45:03 -05:00
prefix string
// services is used for service discovery
services * disco . Disco
2018-11-15 13:26:46 -06:00
// local, if non-nil, will be used for all enhanced behavior. This
// allows local behavior with the remote backend functioning as remote
// state storage backend.
local backend . Enhanced
// forceLocal, if true, will force the use of the local backend.
forceLocal bool
2018-10-31 10:45:03 -05:00
// opLock locks operations
opLock sync . Mutex
backend: Validate remote backend Terraform version
When using the enhanced remote backend, a subset of all Terraform
operations are supported. Of these, only plan and apply can be executed
on the remote infrastructure (e.g. Terraform Cloud). Other operations
run locally and use the remote backend for state storage.
This causes problems when the local version of Terraform does not match
the configured version from the remote workspace. If the two versions
are incompatible, an `import` or `state mv` operation can cause the
remote workspace to be unusable until a manual fix is applied.
To prevent this from happening accidentally, this commit introduces a
check that the local Terraform version and the configured remote
workspace Terraform version are compatible. This check is skipped for
commands which do not write state, and can also be disabled by the use
of a new command-line flag, `-ignore-remote-version`.
Terraform version compatibility is defined as:
- For all releases before 0.14.0, local must exactly equal remote, as
two different versions cannot share state;
- 0.14.0 to 1.0.x are compatible, as we will not change the state
version number until at least Terraform 1.1.0;
- Versions after 1.1.0 must have the same major and minor versions, as
we will not change the state version number in a patch release.
If the two versions are incompatible, a diagnostic is displayed,
advising that the error can be suppressed with `-ignore-remote-version`.
When this flag is used, the diagnostic is still displayed, but as a
warning instead of an error.
Commands which will not write state can assert this fact by calling the
helper `meta.ignoreRemoteBackendVersionConflict`, which will disable the
checks. Those which can write state should instead call the helper
`meta.remoteBackendVersionCheck`, which will return diagnostics for
display.
In addition to these explicit paths for managing the version check, we
have an implicit check in the remote backend's state manager
initialization method. Both of the above helpers will disable this
check. This fallback is in place to ensure that future code paths which
access state cannot accidentally skip the remote version check.
2020-11-13 15:43:56 -06:00
// ignoreVersionConflict, if true, will disable the requirement that the
// local Terraform version matches the remote workspace's configured
// version. This will also cause VerifyWorkspaceTerraformVersion to return
// a warning diagnostic instead of an error.
ignoreVersionConflict bool
2018-10-31 10:45:03 -05:00
}
var _ backend . Backend = ( * Remote ) ( nil )
core: Functional-style API for terraform.Context
Previously terraform.Context was built in an unfortunate way where all of
the data was provided up front in terraform.NewContext and then mutated
directly by subsequent operations. That made the data flow hard to follow,
commonly leading to bugs, and also meant that we were forced to take
various actions too early in terraform.NewContext, rather than waiting
until a more appropriate time during an operation.
This (enormous) commit changes terraform.Context so that its fields are
broadly just unchanging data about the execution context (current
workspace name, available plugins, etc) whereas the main data Terraform
works with arrives via individual method arguments and is returned in
return values.
Specifically, this means that terraform.Context no longer "has-a" config,
state, and "planned changes", instead holding on to those only temporarily
during an operation. The caller is responsible for propagating the outcome
of one step into the next step so that the data flow between operations is
actually visible.
However, since that's a change to the main entry points in the "terraform"
package, this commit also touches every file in the codebase which
interacted with those APIs. Most of the noise here is in updating tests
to take the same actions using the new API style, but this also affects
the main-code callers in the backends and in the command package.
My goal here was to refactor without changing observable behavior, but in
practice there are a couple externally-visible behavior variations here
that seemed okay in service of the broader goal:
- The "terraform graph" command is no longer hooked directly into the
core graph builders, because that's no longer part of the public API.
However, I did include a couple new Context functions whose contract
is to produce a UI-oriented graph, and _for now_ those continue to
return the physical graph we use for those operations. There's no
exported API for generating the "validate" and "eval" graphs, because
neither is particularly interesting in its own right, and so
"terraform graph" no longer supports those graph types.
- terraform.NewContext no longer has the responsibility for collecting
all of the provider schemas up front. Instead, we wait until we need
them. However, that means that some of our error messages now have a
slightly different shape due to unwinding through a differently-shaped
call stack. As of this commit we also end up reloading the schemas
multiple times in some cases, which is functionally acceptable but
likely represents a performance regression. I intend to rework this to
use caching, but I'm saving that for a later commit because this one is
big enough already.
The proximal reason for this change is to resolve the chicken/egg problem
whereby there was previously no single point where we could apply "moved"
statements to the previous run state before creating a plan. With this
change in place, we can now do that as part of Context.Plan, prior to
forking the input state into the three separate state artifacts we use
during planning.
However, this is at least the third project in a row where the previous
API design led to piling more functionality into terraform.NewContext and
then working around the incorrect order of operations that produces, so
I intend that by paying the cost/risk of this large diff now we can in
turn reduce the cost/risk of future projects that relate to our main
workflow actions.
2021-08-24 14:06:38 -05:00
var _ backend . Enhanced = ( * Remote ) ( nil )
var _ backend . Local = ( * Remote ) ( nil )
2018-10-31 10:45:03 -05:00
// New creates a new initialized remote backend.
func New ( services * disco . Disco ) * Remote {
return & Remote {
services : services ,
}
}
2018-11-15 13:26:46 -06:00
// ConfigSchema implements backend.Enhanced.
2018-10-31 10:45:03 -05:00
func ( b * Remote ) ConfigSchema ( ) * configschema . Block {
return & configschema . Block {
Attributes : map [ string ] * configschema . Attribute {
"hostname" : {
Type : cty . String ,
Optional : true ,
Description : schemaDescriptions [ "hostname" ] ,
} ,
"organization" : {
Type : cty . String ,
Required : true ,
Description : schemaDescriptions [ "organization" ] ,
} ,
"token" : {
Type : cty . String ,
Optional : true ,
Description : schemaDescriptions [ "token" ] ,
} ,
} ,
BlockTypes : map [ string ] * configschema . NestedBlock {
"workspaces" : {
Block : configschema . Block {
Attributes : map [ string ] * configschema . Attribute {
"name" : {
Type : cty . String ,
Optional : true ,
Description : schemaDescriptions [ "name" ] ,
} ,
"prefix" : {
Type : cty . String ,
Optional : true ,
Description : schemaDescriptions [ "prefix" ] ,
} ,
} ,
} ,
Nesting : configschema . NestingSingle ,
} ,
} ,
}
}
2019-02-25 17:37:20 -06:00
// PrepareConfig implements backend.Backend.
func ( b * Remote ) PrepareConfig ( obj cty . Value ) ( cty . Value , tfdiags . Diagnostics ) {
2018-10-31 10:45:03 -05:00
var diags tfdiags . Diagnostics
2020-06-05 08:11:44 -05:00
if obj . IsNull ( ) {
return obj , diags
}
2018-10-31 10:45:03 -05:00
2018-12-13 16:12:36 -06:00
if val := obj . GetAttr ( "organization" ) ; val . IsNull ( ) || val . AsString ( ) == "" {
diags = diags . Append ( tfdiags . AttributeValue (
tfdiags . Error ,
"Invalid organization value" ,
` The "organization" attribute value must not be empty. ` ,
cty . Path { cty . GetAttrStep { Name : "organization" } } ,
) )
2018-10-31 10:45:03 -05:00
}
var name , prefix string
if workspaces := obj . GetAttr ( "workspaces" ) ; ! workspaces . IsNull ( ) {
if val := workspaces . GetAttr ( "name" ) ; ! val . IsNull ( ) {
name = val . AsString ( )
}
if val := workspaces . GetAttr ( "prefix" ) ; ! val . IsNull ( ) {
prefix = val . AsString ( )
}
}
// Make sure that we have either a workspace name or a prefix.
if name == "" && prefix == "" {
diags = diags . Append ( tfdiags . AttributeValue (
tfdiags . Error ,
"Invalid workspaces configuration" ,
` Either workspace "name" or "prefix" is required. ` ,
cty . Path { cty . GetAttrStep { Name : "workspaces" } } ,
) )
}
// Make sure that only one of workspace name or a prefix is configured.
if name != "" && prefix != "" {
diags = diags . Append ( tfdiags . AttributeValue (
tfdiags . Error ,
"Invalid workspaces configuration" ,
` Only one of workspace "name" or "prefix" is allowed. ` ,
cty . Path { cty . GetAttrStep { Name : "workspaces" } } ,
) )
}
2019-02-25 17:37:20 -06:00
return obj , diags
2018-10-31 10:45:03 -05:00
}
2018-11-15 13:26:46 -06:00
// Configure implements backend.Enhanced.
2018-10-31 10:45:03 -05:00
func ( b * Remote ) Configure ( obj cty . Value ) tfdiags . Diagnostics {
var diags tfdiags . Diagnostics
2020-06-05 08:11:44 -05:00
if obj . IsNull ( ) {
return diags
}
2018-10-31 10:45:03 -05:00
// Get the hostname.
if val := obj . GetAttr ( "hostname" ) ; ! val . IsNull ( ) && val . AsString ( ) != "" {
b . hostname = val . AsString ( )
} else {
b . hostname = defaultHostname
}
// Get the organization.
if val := obj . GetAttr ( "organization" ) ; ! val . IsNull ( ) {
b . organization = val . AsString ( )
}
// Get the workspaces configuration block and retrieve the
// default workspace name and prefix.
if workspaces := obj . GetAttr ( "workspaces" ) ; ! workspaces . IsNull ( ) {
if val := workspaces . GetAttr ( "name" ) ; ! val . IsNull ( ) {
b . workspace = val . AsString ( )
}
if val := workspaces . GetAttr ( "prefix" ) ; ! val . IsNull ( ) {
b . prefix = val . AsString ( )
}
}
2019-02-18 09:01:06 -06:00
// Determine if we are forced to use the local backend.
b . forceLocal = os . Getenv ( "TF_FORCE_LOCAL_BACKEND" ) != ""
serviceID := tfeServiceID
if b . forceLocal {
serviceID = stateServiceID
}
2018-10-31 10:45:03 -05:00
// Discover the service URL for this host to confirm that it provides
2018-12-14 12:31:42 -06:00
// a remote backend API and to get the version constraints.
2019-02-18 09:01:06 -06:00
service , constraints , err := b . discover ( serviceID )
2019-01-23 08:09:42 -06:00
// First check any contraints we might have received.
if constraints != nil {
diags = diags . Append ( b . checkConstraints ( constraints ) )
if diags . HasErrors ( ) {
return diags
}
}
// When we don't have any constraints errors, also check for discovery
// errors before we continue.
2018-10-31 10:45:03 -05:00
if err != nil {
diags = diags . Append ( tfdiags . AttributeValue (
tfdiags . Error ,
strings . ToUpper ( err . Error ( ) [ : 1 ] ) + err . Error ( ) [ 1 : ] ,
2018-12-13 16:12:36 -06:00
"" , // no description is needed here, the error is clear
2018-10-31 10:45:03 -05:00
cty . Path { cty . GetAttrStep { Name : "hostname" } } ,
) )
return diags
}
2022-03-11 20:00:22 -06:00
// Get the token from the config.
var token string
if val := obj . GetAttr ( "token" ) ; ! val . IsNull ( ) {
token = val . AsString ( )
2018-10-31 10:45:03 -05:00
}
2018-12-14 12:31:42 -06:00
2022-03-11 20:00:22 -06:00
// Retrieve the token for this host as configured in the credentials
// section of the CLI Config File if no token was configured for this
// host in the config.
2018-10-31 10:45:03 -05:00
if token == "" {
2022-03-11 20:00:22 -06:00
token , err = b . token ( )
if err != nil {
diags = diags . Append ( tfdiags . AttributeValue (
tfdiags . Error ,
strings . ToUpper ( err . Error ( ) [ : 1 ] ) + err . Error ( ) [ 1 : ] ,
"" , // no description is needed here, the error is clear
cty . Path { cty . GetAttrStep { Name : "hostname" } } ,
) )
return diags
2018-10-31 10:45:03 -05:00
}
}
2018-12-13 16:12:36 -06:00
// Return an error if we still don't have a token at this point.
if token == "" {
2020-02-05 10:48:10 -06:00
loginCommand := "terraform login"
if b . hostname != defaultHostname {
loginCommand = loginCommand + " " + b . hostname
}
2018-12-13 16:12:36 -06:00
diags = diags . Append ( tfdiags . Sourceless (
tfdiags . Error ,
"Required token could not be found" ,
fmt . Sprintf (
2020-02-05 10:48:10 -06:00
"Run the following command to generate a token for %s:\n %s" ,
2018-12-13 16:12:36 -06:00
b . hostname ,
2020-02-05 10:48:10 -06:00
loginCommand ,
2018-12-13 16:12:36 -06:00
) ,
) )
return diags
}
2018-10-31 10:45:03 -05:00
cfg := & tfe . Config {
2019-03-06 06:36:06 -06:00
Address : service . String ( ) ,
BasePath : service . Path ,
Token : token ,
Headers : make ( http . Header ) ,
RetryLogHook : b . retryLogHook ,
2018-10-31 10:45:03 -05:00
}
// Set the version header to the current version.
2018-12-14 12:31:42 -06:00
cfg . Headers . Set ( tfversion . Header , tfversion . Version )
2018-10-31 10:45:03 -05:00
// Create the remote backend API client.
b . client , err = tfe . NewClient ( cfg )
if err != nil {
diags = diags . Append ( tfdiags . Sourceless (
tfdiags . Error ,
"Failed to create the Terraform Enterprise client" ,
fmt . Sprintf (
` The "remote" backend encountered an unexpected error while creating the ` +
` Terraform Enterprise client: %s. ` , err ,
) ,
) )
2018-11-15 13:26:46 -06:00
return diags
2018-10-31 10:45:03 -05:00
}
2018-12-05 05:29:08 -06:00
// Check if the organization exists by reading its entitlements.
2022-03-23 15:58:47 -05:00
entitlements , err := b . client . Organizations . ReadEntitlements ( context . Background ( ) , b . organization )
2018-11-15 13:26:46 -06:00
if err != nil {
if err == tfe . ErrResourceNotFound {
2021-05-12 01:28:22 -05:00
err = fmt . Errorf ( "organization %q at host %s not found.\n\n" +
"Please ensure that the organization and hostname are correct " +
"and that your API token for %s is valid." ,
b . organization , b . hostname , b . hostname )
2018-11-15 13:26:46 -06:00
}
diags = diags . Append ( tfdiags . AttributeValue (
tfdiags . Error ,
2021-05-12 01:28:22 -05:00
fmt . Sprintf ( "Failed to read organization %q at host %s" , b . organization , b . hostname ) ,
fmt . Sprintf ( "The \"remote\" backend encountered an unexpected error while reading the " +
"organization settings: %s" , err ) ,
2018-11-15 13:26:46 -06:00
cty . Path { cty . GetAttrStep { Name : "organization" } } ,
) )
return diags
}
// Configure a local backend for when we need to run operations locally.
b . local = backendLocal . NewWithBackend ( b )
2019-02-18 09:01:06 -06:00
b . forceLocal = b . forceLocal || ! entitlements . Operations
2018-11-15 13:26:46 -06:00
2019-03-06 06:36:06 -06:00
// Enable retries for server errors as the backend is now fully configured.
b . client . RetryServerErrors ( true )
2018-10-31 10:45:03 -05:00
return diags
}
2018-12-14 12:31:42 -06:00
// discover the remote backend API service URL and version constraints.
2019-02-18 09:01:06 -06:00
func ( b * Remote ) discover ( serviceID string ) ( * url . URL , * disco . Constraints , error ) {
2018-12-14 12:31:42 -06:00
hostname , err := svchost . ForComparison ( b . hostname )
2018-10-31 10:45:03 -05:00
if err != nil {
2018-12-14 12:31:42 -06:00
return nil , nil , err
2018-10-31 10:45:03 -05:00
}
2018-12-14 12:31:42 -06:00
host , err := b . services . Discover ( hostname )
2018-12-10 04:06:05 -06:00
if err != nil {
2018-12-14 12:31:42 -06:00
return nil , nil , err
2018-10-31 10:45:03 -05:00
}
2018-12-14 12:31:42 -06:00
2019-02-18 09:01:06 -06:00
service , err := host . ServiceURL ( serviceID )
2018-12-14 12:31:42 -06:00
// Return the error, unless its a disco.ErrVersionNotSupported error.
if _ , ok := err . ( * disco . ErrVersionNotSupported ) ; ! ok && err != nil {
return nil , nil , err
}
// We purposefully ignore the error and return the previous error, as
// checking for version constraints is considered optional.
2019-02-18 09:01:06 -06:00
constraints , _ := host . VersionConstraints ( serviceID , "terraform" )
2018-12-14 12:31:42 -06:00
return service , constraints , err
}
// checkConstraints checks service version constrains against our own
// version and returns rich and informational diagnostics in case any
// incompatibilities are detected.
func ( b * Remote ) checkConstraints ( c * disco . Constraints ) tfdiags . Diagnostics {
var diags tfdiags . Diagnostics
if c == nil || c . Minimum == "" || c . Maximum == "" {
return diags
}
// Generate a parsable constraints string.
excluding := ""
if len ( c . Excluding ) > 0 {
excluding = fmt . Sprintf ( ", != %s" , strings . Join ( c . Excluding , ", != " ) )
}
constStr := fmt . Sprintf ( ">= %s%s, <= %s" , c . Minimum , excluding , c . Maximum )
// Create the constraints to check against.
constraints , err := version . NewConstraint ( constStr )
if err != nil {
return diags . Append ( checkConstraintsWarning ( err ) )
}
// Create the version to check.
2018-12-19 10:28:32 -06:00
v , err := version . NewVersion ( tfversion . Version )
2018-12-14 12:31:42 -06:00
if err != nil {
return diags . Append ( checkConstraintsWarning ( err ) )
}
// Return if we satisfy all constraints.
if constraints . Check ( v ) {
return diags
}
// Find out what action (upgrade/downgrade) we should advice.
minimum , err := version . NewVersion ( c . Minimum )
if err != nil {
return diags . Append ( checkConstraintsWarning ( err ) )
}
maximum , err := version . NewVersion ( c . Maximum )
if err != nil {
return diags . Append ( checkConstraintsWarning ( err ) )
}
var excludes [ ] * version . Version
2019-01-23 08:09:42 -06:00
for _ , exclude := range c . Excluding {
v , err := version . NewVersion ( exclude )
if err != nil {
return diags . Append ( checkConstraintsWarning ( err ) )
}
excludes = append ( excludes , v )
}
// Sort all the excludes.
sort . Sort ( version . Collection ( excludes ) )
var action , toVersion string
2018-12-14 12:31:42 -06:00
switch {
case minimum . GreaterThan ( v ) :
action = "upgrade"
toVersion = ">= " + minimum . String ( )
case maximum . LessThan ( v ) :
action = "downgrade"
toVersion = "<= " + maximum . String ( )
2019-01-23 08:09:42 -06:00
case len ( excludes ) > 0 :
2018-12-14 12:31:42 -06:00
// Get the latest excluded version.
action = "upgrade"
toVersion = "> " + excludes [ len ( excludes ) - 1 ] . String ( )
}
switch {
case len ( excludes ) == 1 :
excluding = fmt . Sprintf ( ", excluding version %s" , excludes [ 0 ] . String ( ) )
case len ( excludes ) > 1 :
var vs [ ] string
for _ , v := range excludes {
vs = append ( vs , v . String ( ) )
}
excluding = fmt . Sprintf ( ", excluding versions %s" , strings . Join ( vs , ", " ) )
default :
excluding = ""
}
summary := fmt . Sprintf ( "Incompatible Terraform version v%s" , v . String ( ) )
details := fmt . Sprintf (
"The configured Terraform Enterprise backend is compatible with Terraform " +
2018-12-19 10:28:32 -06:00
"versions >= %s, <= %s%s." , c . Minimum , c . Maximum , excluding ,
2018-12-14 12:31:42 -06:00
)
if action != "" && toVersion != "" {
summary = fmt . Sprintf ( "Please %s Terraform to %s" , action , toVersion )
details += fmt . Sprintf ( " Please %s to a supported version and try again." , action )
}
// Return the customized and informational error message.
return diags . Append ( tfdiags . Sourceless ( tfdiags . Error , summary , details ) )
2018-10-31 10:45:03 -05:00
}
// token returns the token for this host as configured in the credentials
// section of the CLI Config File. If no token was configured, an empty
// string will be returned instead.
2018-12-14 12:31:42 -06:00
func ( b * Remote ) token ( ) ( string , error ) {
hostname , err := svchost . ForComparison ( b . hostname )
2018-10-31 10:45:03 -05:00
if err != nil {
return "" , err
}
2018-12-14 12:31:42 -06:00
creds , err := b . services . CredentialsForHost ( hostname )
2018-10-31 10:45:03 -05:00
if err != nil {
2018-12-14 12:31:42 -06:00
log . Printf ( "[WARN] Failed to get credentials for %s: %s (ignoring)" , b . hostname , err )
2018-10-31 10:45:03 -05:00
return "" , nil
}
if creds != nil {
return creds . Token ( ) , nil
}
return "" , nil
}
2019-03-06 06:36:06 -06:00
// retryLogHook is invoked each time a request is retried allowing the
// backend to log any connection issues to prevent data loss.
func ( b * Remote ) retryLogHook ( attemptNum int , resp * http . Response ) {
if b . CLI != nil {
// Ignore the first retry to make sure any delayed output will
// be written to the console before we start logging retries.
//
// The retry logic in the TFE client will retry both rate limited
// requests and server errors, but in the remote backend we only
// care about server errors so we ignore rate limit (429) errors.
2020-06-22 14:02:23 -05:00
if attemptNum == 0 || ( resp != nil && resp . StatusCode == 429 ) {
2019-03-06 06:36:06 -06:00
// Reset the last retry time.
b . lastRetry = time . Now ( )
return
}
if attemptNum == 1 {
b . CLI . Output ( b . Colorize ( ) . Color ( strings . TrimSpace ( initialRetryError ) ) )
} else {
b . CLI . Output ( b . Colorize ( ) . Color ( strings . TrimSpace (
fmt . Sprintf ( repeatedRetryError , time . Since ( b . lastRetry ) . Round ( time . Second ) ) ) ) )
}
}
}
2018-11-26 07:06:27 -06:00
// Workspaces implements backend.Enhanced.
func ( b * Remote ) Workspaces ( ) ( [ ] string , error ) {
if b . prefix == "" {
return nil , backend . ErrWorkspacesNotSupported
}
return b . workspaces ( )
}
// workspaces returns a filtered list of remote workspace names.
func ( b * Remote ) workspaces ( ) ( [ ] string , error ) {
2022-03-23 15:58:47 -05:00
options := & tfe . WorkspaceListOptions { }
2018-11-26 07:06:27 -06:00
switch {
case b . workspace != "" :
2022-03-23 15:58:47 -05:00
options . Search = b . workspace
2018-11-26 07:06:27 -06:00
case b . prefix != "" :
2022-03-23 15:58:47 -05:00
options . Search = b . prefix
2018-11-26 07:06:27 -06:00
}
// Create a slice to contain all the names.
var names [ ] string
for {
wl , err := b . client . Workspaces . List ( context . Background ( ) , b . organization , options )
if err != nil {
return nil , err
}
for _ , w := range wl . Items {
if b . workspace != "" && w . Name == b . workspace {
names = append ( names , backend . DefaultStateName )
continue
}
if b . prefix != "" && strings . HasPrefix ( w . Name , b . prefix ) {
names = append ( names , strings . TrimPrefix ( w . Name , b . prefix ) )
}
}
// Exit the loop when we've seen all pages.
if wl . CurrentPage >= wl . TotalPages {
break
}
// Update the page number to get the next page.
options . PageNumber = wl . NextPage
}
// Sort the result so we have consistent output.
sort . StringSlice ( names ) . Sort ( )
return names , nil
}
2021-11-03 14:41:55 -05:00
// WorkspaceNamePattern provides an appropriate workspace renaming pattern for backend migration
// purposes (handled outside of this package), based on previous usage of this backend with the
// 'prefix' workspace functionality. As of this writing, see meta_backend.migrate.go
func ( b * Remote ) WorkspaceNamePattern ( ) string {
if b . prefix != "" {
return b . prefix + "*"
}
return ""
}
2018-11-26 07:06:27 -06:00
// DeleteWorkspace implements backend.Enhanced.
2022-10-05 14:57:09 -05:00
func ( b * Remote ) DeleteWorkspace ( name string , _ bool ) error {
2018-11-26 07:06:27 -06:00
if b . workspace == "" && name == backend . DefaultStateName {
return backend . ErrDefaultWorkspaceNotSupported
}
if b . prefix == "" && name != backend . DefaultStateName {
return backend . ErrWorkspacesNotSupported
}
// Configure the remote workspace name.
switch {
case name == backend . DefaultStateName :
name = b . workspace
case b . prefix != "" && ! strings . HasPrefix ( name , b . prefix ) :
name = b . prefix + name
}
client := & remoteClient {
client : b . client ,
organization : b . organization ,
2018-11-30 12:31:58 -06:00
workspace : & tfe . Workspace {
Name : name ,
} ,
2018-11-26 07:06:27 -06:00
}
return client . Delete ( )
}
2018-11-15 13:26:46 -06:00
// StateMgr implements backend.Enhanced.
2020-08-11 10:23:42 -05:00
func ( b * Remote ) StateMgr ( name string ) ( statemgr . Full , error ) {
2018-11-15 13:26:46 -06:00
if b . workspace == "" && name == backend . DefaultStateName {
return nil , backend . ErrDefaultWorkspaceNotSupported
}
if b . prefix == "" && name != backend . DefaultStateName {
2018-10-31 10:45:03 -05:00
return nil , backend . ErrWorkspacesNotSupported
}
2018-11-15 13:26:46 -06:00
// Configure the remote workspace name.
2018-10-31 10:45:03 -05:00
switch {
2018-11-15 13:26:46 -06:00
case name == backend . DefaultStateName :
name = b . workspace
case b . prefix != "" && ! strings . HasPrefix ( name , b . prefix ) :
name = b . prefix + name
2018-10-31 10:45:03 -05:00
}
2018-11-30 12:31:58 -06:00
workspace , err := b . client . Workspaces . Read ( context . Background ( ) , b . organization , name )
if err != nil && err != tfe . ErrResourceNotFound {
return nil , fmt . Errorf ( "Failed to retrieve workspace %s: %v" , name , err )
}
if err == tfe . ErrResourceNotFound {
2018-11-15 13:26:46 -06:00
options := tfe . WorkspaceCreateOptions {
Name : tfe . String ( name ) ,
2018-10-31 10:45:03 -05:00
}
2018-11-15 13:26:46 -06:00
// We only set the Terraform Version for the new workspace if this is
// a release candidate or a final release.
2018-12-14 12:31:42 -06:00
if tfversion . Prerelease == "" || strings . HasPrefix ( tfversion . Prerelease , "rc" ) {
options . TerraformVersion = tfe . String ( tfversion . String ( ) )
2018-10-31 10:45:03 -05:00
}
2018-11-30 12:31:58 -06:00
workspace , err = b . client . Workspaces . Create ( context . Background ( ) , b . organization , options )
2018-11-15 13:26:46 -06:00
if err != nil {
return nil , fmt . Errorf ( "Error creating workspace %s: %v" , name , err )
2018-10-31 10:45:03 -05:00
}
}
backend: Validate remote backend Terraform version
When using the enhanced remote backend, a subset of all Terraform
operations are supported. Of these, only plan and apply can be executed
on the remote infrastructure (e.g. Terraform Cloud). Other operations
run locally and use the remote backend for state storage.
This causes problems when the local version of Terraform does not match
the configured version from the remote workspace. If the two versions
are incompatible, an `import` or `state mv` operation can cause the
remote workspace to be unusable until a manual fix is applied.
To prevent this from happening accidentally, this commit introduces a
check that the local Terraform version and the configured remote
workspace Terraform version are compatible. This check is skipped for
commands which do not write state, and can also be disabled by the use
of a new command-line flag, `-ignore-remote-version`.
Terraform version compatibility is defined as:
- For all releases before 0.14.0, local must exactly equal remote, as
two different versions cannot share state;
- 0.14.0 to 1.0.x are compatible, as we will not change the state
version number until at least Terraform 1.1.0;
- Versions after 1.1.0 must have the same major and minor versions, as
we will not change the state version number in a patch release.
If the two versions are incompatible, a diagnostic is displayed,
advising that the error can be suppressed with `-ignore-remote-version`.
When this flag is used, the diagnostic is still displayed, but as a
warning instead of an error.
Commands which will not write state can assert this fact by calling the
helper `meta.ignoreRemoteBackendVersionConflict`, which will disable the
checks. Those which can write state should instead call the helper
`meta.remoteBackendVersionCheck`, which will return diagnostics for
display.
In addition to these explicit paths for managing the version check, we
have an implicit check in the remote backend's state manager
initialization method. Both of the above helpers will disable this
check. This fallback is in place to ensure that future code paths which
access state cannot accidentally skip the remote version check.
2020-11-13 15:43:56 -06:00
// This is a fallback error check. Most code paths should use other
// mechanisms to check the version, then set the ignoreVersionConflict
// field to true. This check is only in place to ensure that we don't
// accidentally upgrade state with a new code path, and the version check
// logic is coarser and simpler.
if ! b . ignoreVersionConflict {
2020-12-08 13:46:56 -06:00
wsv := workspace . TerraformVersion
// Explicitly ignore the pseudo-version "latest" here, as it will cause
// plan and apply to always fail.
if wsv != tfversion . String ( ) && wsv != "latest" {
backend: Validate remote backend Terraform version
When using the enhanced remote backend, a subset of all Terraform
operations are supported. Of these, only plan and apply can be executed
on the remote infrastructure (e.g. Terraform Cloud). Other operations
run locally and use the remote backend for state storage.
This causes problems when the local version of Terraform does not match
the configured version from the remote workspace. If the two versions
are incompatible, an `import` or `state mv` operation can cause the
remote workspace to be unusable until a manual fix is applied.
To prevent this from happening accidentally, this commit introduces a
check that the local Terraform version and the configured remote
workspace Terraform version are compatible. This check is skipped for
commands which do not write state, and can also be disabled by the use
of a new command-line flag, `-ignore-remote-version`.
Terraform version compatibility is defined as:
- For all releases before 0.14.0, local must exactly equal remote, as
two different versions cannot share state;
- 0.14.0 to 1.0.x are compatible, as we will not change the state
version number until at least Terraform 1.1.0;
- Versions after 1.1.0 must have the same major and minor versions, as
we will not change the state version number in a patch release.
If the two versions are incompatible, a diagnostic is displayed,
advising that the error can be suppressed with `-ignore-remote-version`.
When this flag is used, the diagnostic is still displayed, but as a
warning instead of an error.
Commands which will not write state can assert this fact by calling the
helper `meta.ignoreRemoteBackendVersionConflict`, which will disable the
checks. Those which can write state should instead call the helper
`meta.remoteBackendVersionCheck`, which will return diagnostics for
display.
In addition to these explicit paths for managing the version check, we
have an implicit check in the remote backend's state manager
initialization method. Both of the above helpers will disable this
check. This fallback is in place to ensure that future code paths which
access state cannot accidentally skip the remote version check.
2020-11-13 15:43:56 -06:00
return nil , fmt . Errorf ( "Remote workspace Terraform version %q does not match local Terraform version %q" , workspace . TerraformVersion , tfversion . String ( ) )
}
}
2018-11-15 13:26:46 -06:00
client := & remoteClient {
client : b . client ,
organization : b . organization ,
2018-11-30 12:31:58 -06:00
workspace : workspace ,
2018-10-31 10:45:03 -05:00
2018-11-15 13:26:46 -06:00
// This is optionally set during Terraform Enterprise runs.
runID : os . Getenv ( "TFE_RUN_ID" ) ,
}
return & remote . State { Client : client } , nil
2018-10-31 10:45:03 -05:00
}
2022-03-15 16:42:11 -05:00
func isLocalExecutionMode ( execMode string ) bool {
return execMode == "local"
}
2018-10-31 10:45:03 -05:00
2022-03-15 16:42:11 -05:00
func ( b * Remote ) fetchWorkspace ( ctx context . Context , organization string , name string ) ( * tfe . Workspace , error ) {
remoteWorkspaceName := b . getRemoteWorkspaceName ( name )
2018-11-15 13:26:46 -06:00
// Retrieve the workspace for this operation.
2022-03-15 16:42:11 -05:00
w , err := b . client . Workspaces . Read ( ctx , b . organization , remoteWorkspaceName )
2018-11-15 13:26:46 -06:00
if err != nil {
2018-12-13 16:12:36 -06:00
switch err {
case context . Canceled :
return nil , err
case tfe . ErrResourceNotFound :
return nil , fmt . Errorf (
"workspace %s not found\n\n" +
"The configured \"remote\" backend returns '404 Not Found' errors for resources\n" +
"that do not exist, as well as for resources that a user doesn't have access\n" +
2022-03-15 16:42:11 -05:00
"to. If the resource does exist, please check the rights for the used token" ,
2018-12-13 16:12:36 -06:00
name ,
)
default :
2022-03-15 16:42:11 -05:00
err := fmt . Errorf (
"the configured \"remote\" backend encountered an unexpected error:\n\n%s" ,
2018-12-13 16:12:36 -06:00
err ,
)
2022-03-15 16:42:11 -05:00
return nil , err
2018-12-13 16:12:36 -06:00
}
2018-11-15 13:26:46 -06:00
}
2022-03-15 16:42:11 -05:00
return w , nil
}
// Operation implements backend.Enhanced.
func ( b * Remote ) Operation ( ctx context . Context , op * backend . Operation ) ( * backend . RunningOperation , error ) {
w , err := b . fetchWorkspace ( ctx , b . organization , op . Workspace )
if err != nil {
return nil , err
}
2020-12-17 11:56:13 -06:00
// Terraform remote version conflicts are not a concern for operations. We
// are in one of three states:
//
// - Running remotely, in which case the local version is irrelevant;
// - Workspace configured for local operations, in which case the remote
// version is meaningless;
// - Forcing local operations with a remote backend, which should only
// happen in the Terraform Cloud worker, in which case the Terraform
// versions by definition match.
b . IgnoreVersionConflict ( )
2018-11-15 13:26:46 -06:00
// Check if we need to use the local backend to run the operation.
2022-03-15 16:42:11 -05:00
if b . forceLocal || isLocalExecutionMode ( w . ExecutionMode ) {
2021-04-16 10:43:57 -05:00
// Record that we're forced to run operations locally to allow the
// command package UI to operate correctly
b . forceLocal = true
backend/local: Check dependency lock consistency before any operations
In historical versions of Terraform the responsibility to check this was
inside the terraform.NewContext function, along with various other
assorted concerns that made that function particularly complicated.
More recently, we reduced the responsibility of the "terraform" package
only to instantiating particular named plugins, assuming that its caller
is responsible for selecting appropriate versions of any providers that
_are_ external. However, until this commit we were just assuming that
"terraform init" had correctly selected appropriate plugins and recorded
them in the lock file, and so nothing was dealing with the problem of
ensuring that there haven't been any changes to the lock file or config
since the most recent "terraform init" which would cause us to need to
re-evaluate those decisions.
Part of the game here is to slightly extend the role of the dependency
locks object to also carry information about a subset of provider
addresses whose lock entries we're intentionally disregarding as part of
the various little edge-case features we have for overridding providers:
dev_overrides, "unmanaged providers", and the testing overrides in our
own unit tests. This is an in-memory-only annotation, never included in
the serialized plan files on disk.
I had originally intended to create a new package to encapsulate all of
this plugin-selection logic, including both the version constraint
checking here and also the handling of the provider factory functions, but
as an interim step I've just made version constraint consistency checks
the responsibility of the backend/local package, which means that we'll
always catch problems as part of preparing for local operations, while
not imposing these additional checks on commands that _don't_ run local
operations, such as "terraform apply" when in remote operations mode.
2021-09-29 19:31:43 -05:00
log . Printf ( "[DEBUG] Remote backend is delegating %s to the local backend" , op . Type )
2018-11-15 13:26:46 -06:00
return b . local . Operation ( ctx , op )
}
// Set the remote workspace name.
op . Workspace = w . Name
2018-10-31 10:45:03 -05:00
// Determine the function to call for our operation
2018-11-15 13:26:46 -06:00
var f func ( context . Context , context . Context , * backend . Operation , * tfe . Workspace ) ( * tfe . Run , error )
2018-10-31 10:45:03 -05:00
switch op . Type {
case backend . OperationTypePlan :
f = b . opPlan
case backend . OperationTypeApply :
f = b . opApply
2021-05-27 01:08:39 -05:00
case backend . OperationTypeRefresh :
return nil , fmt . Errorf (
"\n\nThe \"refresh\" operation is not supported when using the \"remote\" backend. " +
"Use \"terraform apply -refresh-only\" instead." )
2018-10-31 10:45:03 -05:00
default :
return nil , fmt . Errorf (
2018-12-13 16:12:36 -06:00
"\n\nThe \"remote\" backend does not support the %q operation." , op . Type )
2018-10-31 10:45:03 -05:00
}
// Lock
b . opLock . Lock ( )
// Build our running operation
// the runninCtx is only used to block until the operation returns.
runningCtx , done := context . WithCancel ( context . Background ( ) )
runningOp := & backend . RunningOperation {
Context : runningCtx ,
PlanEmpty : true ,
}
// stopCtx wraps the context passed in, and is used to signal a graceful Stop.
stopCtx , stop := context . WithCancel ( ctx )
runningOp . Stop = stop
// cancelCtx is used to cancel the operation immediately, usually
// indicating that the process is exiting.
cancelCtx , cancel := context . WithCancel ( context . Background ( ) )
runningOp . Cancel = cancel
// Do it.
go func ( ) {
2021-10-27 15:33:35 -05:00
defer logging . PanicHandler ( )
2018-10-31 10:45:03 -05:00
defer done ( )
defer stop ( )
defer cancel ( )
defer b . opLock . Unlock ( )
2018-11-15 13:26:46 -06:00
r , opErr := f ( stopCtx , cancelCtx , op , w )
2018-10-31 10:45:03 -05:00
if opErr != nil && opErr != context . Canceled {
2021-02-12 12:59:14 -06:00
var diags tfdiags . Diagnostics
diags = diags . Append ( opErr )
op . ReportResult ( runningOp , diags )
2018-10-31 10:45:03 -05:00
return
}
2019-02-26 12:12:53 -06:00
if r == nil && opErr == context . Canceled {
runningOp . Result = backend . OperationFailure
return
}
2018-10-31 10:45:03 -05:00
if r != nil {
// Retrieve the run to get its current status.
r , err := b . client . Runs . Read ( cancelCtx , r . ID )
if err != nil {
2021-02-12 12:59:14 -06:00
var diags tfdiags . Diagnostics
diags = diags . Append ( generalError ( "Failed to retrieve run" , err ) )
op . ReportResult ( runningOp , diags )
2018-10-31 10:45:03 -05:00
return
}
// Record if there are any changes.
runningOp . PlanEmpty = ! r . HasChanges
if opErr == context . Canceled {
if err := b . cancel ( cancelCtx , op , r ) ; err != nil {
2021-02-12 12:59:14 -06:00
var diags tfdiags . Diagnostics
diags = diags . Append ( generalError ( "Failed to retrieve run" , err ) )
op . ReportResult ( runningOp , diags )
2018-10-31 10:45:03 -05:00
return
}
}
2019-02-26 12:12:53 -06:00
if r . Status == tfe . RunCanceled || r . Status == tfe . RunErrored {
2018-10-31 10:45:03 -05:00
runningOp . Result = backend . OperationFailure
}
}
} ( )
// Return the running operation.
return runningOp , nil
}
func ( b * Remote ) cancel ( cancelCtx context . Context , op * backend . Operation , r * tfe . Run ) error {
2019-03-07 14:07:13 -06:00
if r . Actions . IsCancelable {
2018-10-31 10:45:03 -05:00
// Only ask if the remote operation should be canceled
// if the auto approve flag is not set.
if ! op . AutoApprove {
2019-03-07 14:07:13 -06:00
v , err := op . UIIn . Input ( cancelCtx , & terraform . InputOpts {
2018-10-31 10:45:03 -05:00
Id : "cancel" ,
2019-03-07 14:07:13 -06:00
Query : "\nDo you want to cancel the remote operation?" ,
2018-10-31 10:45:03 -05:00
Description : "Only 'yes' will be accepted to cancel." ,
} )
if err != nil {
return generalError ( "Failed asking to cancel" , err )
}
if v != "yes" {
if b . CLI != nil {
b . CLI . Output ( b . Colorize ( ) . Color ( strings . TrimSpace ( operationNotCanceled ) ) )
}
return nil
}
} else {
if b . CLI != nil {
// Insert a blank line to separate the ouputs.
b . CLI . Output ( "" )
}
}
// Try to cancel the remote operation.
err := b . client . Runs . Cancel ( cancelCtx , r . ID , tfe . RunCancelOptions { } )
if err != nil {
return generalError ( "Failed to cancel run" , err )
}
if b . CLI != nil {
b . CLI . Output ( b . Colorize ( ) . Color ( strings . TrimSpace ( operationCanceled ) ) )
}
}
return nil
}
backend: Validate remote backend Terraform version
When using the enhanced remote backend, a subset of all Terraform
operations are supported. Of these, only plan and apply can be executed
on the remote infrastructure (e.g. Terraform Cloud). Other operations
run locally and use the remote backend for state storage.
This causes problems when the local version of Terraform does not match
the configured version from the remote workspace. If the two versions
are incompatible, an `import` or `state mv` operation can cause the
remote workspace to be unusable until a manual fix is applied.
To prevent this from happening accidentally, this commit introduces a
check that the local Terraform version and the configured remote
workspace Terraform version are compatible. This check is skipped for
commands which do not write state, and can also be disabled by the use
of a new command-line flag, `-ignore-remote-version`.
Terraform version compatibility is defined as:
- For all releases before 0.14.0, local must exactly equal remote, as
two different versions cannot share state;
- 0.14.0 to 1.0.x are compatible, as we will not change the state
version number until at least Terraform 1.1.0;
- Versions after 1.1.0 must have the same major and minor versions, as
we will not change the state version number in a patch release.
If the two versions are incompatible, a diagnostic is displayed,
advising that the error can be suppressed with `-ignore-remote-version`.
When this flag is used, the diagnostic is still displayed, but as a
warning instead of an error.
Commands which will not write state can assert this fact by calling the
helper `meta.ignoreRemoteBackendVersionConflict`, which will disable the
checks. Those which can write state should instead call the helper
`meta.remoteBackendVersionCheck`, which will return diagnostics for
display.
In addition to these explicit paths for managing the version check, we
have an implicit check in the remote backend's state manager
initialization method. Both of the above helpers will disable this
check. This fallback is in place to ensure that future code paths which
access state cannot accidentally skip the remote version check.
2020-11-13 15:43:56 -06:00
// IgnoreVersionConflict allows commands to disable the fall-back check that
// the local Terraform version matches the remote workspace's configured
// Terraform version. This should be called by commands where this check is
// unnecessary, such as those performing remote operations, or read-only
// operations. It will also be called if the user uses a command-line flag to
// override this check.
func ( b * Remote ) IgnoreVersionConflict ( ) {
b . ignoreVersionConflict = true
}
// VerifyWorkspaceTerraformVersion compares the local Terraform version against
// the workspace's configured Terraform version. If they are equal, this means
// that there are no compatibility concerns, so it returns no diagnostics.
//
// If the versions differ,
func ( b * Remote ) VerifyWorkspaceTerraformVersion ( workspaceName string ) tfdiags . Diagnostics {
var diags tfdiags . Diagnostics
workspace , err := b . getRemoteWorkspace ( context . Background ( ) , workspaceName )
if err != nil {
2021-03-15 14:40:51 -05:00
// If the workspace doesn't exist, there can be no compatibility
// problem, so we can return. This is most likely to happen when
// migrating state from a local backend to a new workspace.
if err == tfe . ErrResourceNotFound {
return nil
}
backend: Validate remote backend Terraform version
When using the enhanced remote backend, a subset of all Terraform
operations are supported. Of these, only plan and apply can be executed
on the remote infrastructure (e.g. Terraform Cloud). Other operations
run locally and use the remote backend for state storage.
This causes problems when the local version of Terraform does not match
the configured version from the remote workspace. If the two versions
are incompatible, an `import` or `state mv` operation can cause the
remote workspace to be unusable until a manual fix is applied.
To prevent this from happening accidentally, this commit introduces a
check that the local Terraform version and the configured remote
workspace Terraform version are compatible. This check is skipped for
commands which do not write state, and can also be disabled by the use
of a new command-line flag, `-ignore-remote-version`.
Terraform version compatibility is defined as:
- For all releases before 0.14.0, local must exactly equal remote, as
two different versions cannot share state;
- 0.14.0 to 1.0.x are compatible, as we will not change the state
version number until at least Terraform 1.1.0;
- Versions after 1.1.0 must have the same major and minor versions, as
we will not change the state version number in a patch release.
If the two versions are incompatible, a diagnostic is displayed,
advising that the error can be suppressed with `-ignore-remote-version`.
When this flag is used, the diagnostic is still displayed, but as a
warning instead of an error.
Commands which will not write state can assert this fact by calling the
helper `meta.ignoreRemoteBackendVersionConflict`, which will disable the
checks. Those which can write state should instead call the helper
`meta.remoteBackendVersionCheck`, which will return diagnostics for
display.
In addition to these explicit paths for managing the version check, we
have an implicit check in the remote backend's state manager
initialization method. Both of the above helpers will disable this
check. This fallback is in place to ensure that future code paths which
access state cannot accidentally skip the remote version check.
2020-11-13 15:43:56 -06:00
diags = diags . Append ( tfdiags . Sourceless (
tfdiags . Error ,
"Error looking up workspace" ,
fmt . Sprintf ( "Workspace read failed: %s" , err ) ,
) )
return diags
}
2020-12-08 13:46:56 -06:00
// If the workspace has the pseudo-version "latest", all bets are off. We
// cannot reasonably determine what the intended Terraform version is, so
// we'll skip version verification.
if workspace . TerraformVersion == "latest" {
return nil
}
2021-01-05 08:11:19 -06:00
// If the workspace has remote operations disabled, the remote Terraform
// version is effectively meaningless, so we'll skip version verification.
2022-03-15 16:42:11 -05:00
if isLocalExecutionMode ( workspace . ExecutionMode ) {
2021-01-05 08:11:19 -06:00
return nil
}
backend: Validate remote backend Terraform version
When using the enhanced remote backend, a subset of all Terraform
operations are supported. Of these, only plan and apply can be executed
on the remote infrastructure (e.g. Terraform Cloud). Other operations
run locally and use the remote backend for state storage.
This causes problems when the local version of Terraform does not match
the configured version from the remote workspace. If the two versions
are incompatible, an `import` or `state mv` operation can cause the
remote workspace to be unusable until a manual fix is applied.
To prevent this from happening accidentally, this commit introduces a
check that the local Terraform version and the configured remote
workspace Terraform version are compatible. This check is skipped for
commands which do not write state, and can also be disabled by the use
of a new command-line flag, `-ignore-remote-version`.
Terraform version compatibility is defined as:
- For all releases before 0.14.0, local must exactly equal remote, as
two different versions cannot share state;
- 0.14.0 to 1.0.x are compatible, as we will not change the state
version number until at least Terraform 1.1.0;
- Versions after 1.1.0 must have the same major and minor versions, as
we will not change the state version number in a patch release.
If the two versions are incompatible, a diagnostic is displayed,
advising that the error can be suppressed with `-ignore-remote-version`.
When this flag is used, the diagnostic is still displayed, but as a
warning instead of an error.
Commands which will not write state can assert this fact by calling the
helper `meta.ignoreRemoteBackendVersionConflict`, which will disable the
checks. Those which can write state should instead call the helper
`meta.remoteBackendVersionCheck`, which will return diagnostics for
display.
In addition to these explicit paths for managing the version check, we
have an implicit check in the remote backend's state manager
initialization method. Both of the above helpers will disable this
check. This fallback is in place to ensure that future code paths which
access state cannot accidentally skip the remote version check.
2020-11-13 15:43:56 -06:00
remoteVersion , err := version . NewSemver ( workspace . TerraformVersion )
if err != nil {
diags = diags . Append ( tfdiags . Sourceless (
tfdiags . Error ,
"Error looking up workspace" ,
fmt . Sprintf ( "Invalid Terraform version: %s" , err ) ,
) )
return diags
}
v014 := version . Must ( version . NewSemver ( "0.14.0" ) )
if tfversion . SemVer . LessThan ( v014 ) || remoteVersion . LessThan ( v014 ) {
// Versions of Terraform prior to 0.14.0 will refuse to load state files
// written by a newer version of Terraform, even if it is only a patch
// level difference. As a result we require an exact match.
if tfversion . SemVer . Equal ( remoteVersion ) {
return diags
}
}
if tfversion . SemVer . GreaterThanOrEqual ( v014 ) && remoteVersion . GreaterThanOrEqual ( v014 ) {
// Versions of Terraform after 0.14.0 should be compatible with each
// other. At the time this code was written, the only constraints we
// are aware of are:
//
// - 0.14.0 is guaranteed to be compatible with versions up to but not
2022-05-03 13:28:41 -05:00
// including 1.3.0
v130 := version . Must ( version . NewSemver ( "1.3.0" ) )
if tfversion . SemVer . LessThan ( v130 ) && remoteVersion . LessThan ( v130 ) {
backend: Validate remote backend Terraform version
When using the enhanced remote backend, a subset of all Terraform
operations are supported. Of these, only plan and apply can be executed
on the remote infrastructure (e.g. Terraform Cloud). Other operations
run locally and use the remote backend for state storage.
This causes problems when the local version of Terraform does not match
the configured version from the remote workspace. If the two versions
are incompatible, an `import` or `state mv` operation can cause the
remote workspace to be unusable until a manual fix is applied.
To prevent this from happening accidentally, this commit introduces a
check that the local Terraform version and the configured remote
workspace Terraform version are compatible. This check is skipped for
commands which do not write state, and can also be disabled by the use
of a new command-line flag, `-ignore-remote-version`.
Terraform version compatibility is defined as:
- For all releases before 0.14.0, local must exactly equal remote, as
two different versions cannot share state;
- 0.14.0 to 1.0.x are compatible, as we will not change the state
version number until at least Terraform 1.1.0;
- Versions after 1.1.0 must have the same major and minor versions, as
we will not change the state version number in a patch release.
If the two versions are incompatible, a diagnostic is displayed,
advising that the error can be suppressed with `-ignore-remote-version`.
When this flag is used, the diagnostic is still displayed, but as a
warning instead of an error.
Commands which will not write state can assert this fact by calling the
helper `meta.ignoreRemoteBackendVersionConflict`, which will disable the
checks. Those which can write state should instead call the helper
`meta.remoteBackendVersionCheck`, which will return diagnostics for
display.
In addition to these explicit paths for managing the version check, we
have an implicit check in the remote backend's state manager
initialization method. Both of the above helpers will disable this
check. This fallback is in place to ensure that future code paths which
access state cannot accidentally skip the remote version check.
2020-11-13 15:43:56 -06:00
return diags
}
// - Any new Terraform state version will require at least minor patch
// increment, so x.y.* will always be compatible with each other
tfvs := tfversion . SemVer . Segments64 ( )
rwvs := remoteVersion . Segments64 ( )
if len ( tfvs ) == 3 && len ( rwvs ) == 3 && tfvs [ 0 ] == rwvs [ 0 ] && tfvs [ 1 ] == rwvs [ 1 ] {
return diags
}
}
// Even if ignoring version conflicts, it may still be useful to call this
// method and warn the user about a mismatch between the local and remote
// Terraform versions.
severity := tfdiags . Error
if b . ignoreVersionConflict {
severity = tfdiags . Warning
}
suggestion := " If you're sure you want to upgrade the state, you can force Terraform to continue using the -ignore-remote-version flag. This may result in an unusable workspace."
if b . ignoreVersionConflict {
suggestion = ""
}
diags = diags . Append ( tfdiags . Sourceless (
severity ,
"Terraform version mismatch" ,
fmt . Sprintf (
"The local Terraform version (%s) does not match the configured version for remote workspace %s/%s (%s).%s" ,
tfversion . String ( ) ,
b . organization ,
workspace . Name ,
workspace . TerraformVersion ,
suggestion ,
) ,
) )
return diags
}
2021-04-16 10:43:57 -05:00
func ( b * Remote ) IsLocalOperations ( ) bool {
return b . forceLocal
}
2018-10-31 10:45:03 -05:00
func generalError ( msg string , err error ) error {
var diags tfdiags . Diagnostics
if urlErr , ok := err . ( * url . Error ) ; ok {
err = urlErr . Err
}
switch err {
case context . Canceled :
return err
case tfe . ErrResourceNotFound :
diags = diags . Append ( tfdiags . Sourceless (
tfdiags . Error ,
fmt . Sprintf ( "%s: %v" , msg , err ) ,
` The configured "remote" backend returns '404 Not Found' errors for resources ` +
` that do not exist, as well as for resources that a user doesn't have access ` +
2020-05-04 09:34:50 -05:00
` to. If the resource does exist, please check the rights for the used token. ` ,
2018-10-31 10:45:03 -05:00
) )
return diags . Err ( )
default :
diags = diags . Append ( tfdiags . Sourceless (
tfdiags . Error ,
fmt . Sprintf ( "%s: %v" , msg , err ) ,
` The configured "remote" backend encountered an unexpected error. Sometimes ` +
` this is caused by network connection problems, in which case you could retry ` +
` the command. If the issue persists please open a support ticket to get help ` +
` resolving the problem. ` ,
) )
return diags . Err ( )
}
}
2018-12-14 12:31:42 -06:00
func checkConstraintsWarning ( err error ) tfdiags . Diagnostic {
return tfdiags . Sourceless (
tfdiags . Warning ,
fmt . Sprintf ( "Failed to check version constraints: %v" , err ) ,
"Checking version constraints is considered optional, but this is an" +
"unexpected error which should be reported." ,
)
}
2019-03-06 06:36:06 -06:00
// The newline in this error is to make it look good in the CLI!
const initialRetryError = `
[ reset ] [ yellow ] There was an error connecting to the remote backend . Please do not exit
Terraform to prevent data loss ! Trying to restore the connection ...
[ reset ]
`
const repeatedRetryError = `
[ reset ] [ yellow ] Still trying to restore the connection ... ( % s elapsed ) [ reset ]
`
2018-10-31 10:45:03 -05:00
const operationCanceled = `
[ reset ] [ red ] The remote operation was successfully cancelled . [ reset ]
`
const operationNotCanceled = `
[ reset ] [ red ] The remote operation was not cancelled . [ reset ]
`
var schemaDescriptions = map [ string ] string {
"hostname" : "The remote backend hostname to connect to (defaults to app.terraform.io)." ,
"organization" : "The name of the organization containing the targeted workspace(s)." ,
"token" : "The token used to authenticate with the remote backend. If credentials for the\n" +
"host are configured in the CLI Config File, then those will be used instead." ,
"name" : "A workspace name used to map the default workspace to a named remote workspace.\n" +
"When configured only the default workspace can be used. This option conflicts\n" +
"with \"prefix\"" ,
"prefix" : "A prefix used to filter workspaces using a single configuration. New workspaces\n" +
"will automatically be prefixed with this prefix. If omitted only the default\n" +
"workspace can be used. This option conflicts with \"name\"" ,
}