Commit Graph

30587 Commits

Author SHA1 Message Date
James Bardin
3ea704ef81 Make the pre-destroy refresh a full plan
In order to complete the terraform destroy command, a refresh must first
be done to update state and remove any instances which have already been
deleted externally. This was being done with a refresh plan, which will
avoid any condition evaluations and avoid planning new instances. That
however can fail due to invalid references from resources that are
already missing from the state.

A new plan type to handle the concept of the pre-destroy-refresh is
needed here, which should probably be incorporated directly into the
destroy plan, just like the original refresh walk was incorporated into
the normal planning process. That however is major refactoring that is
not appropriate for a patch release.

Instead we make two discrete changes here to prevent blocking a destroy
plan. The first is to use a normal plan to refresh, which will enable
evaluation because missing and inconsistent instances will be planned
for creation and updates, allowing them to be evaluated. That is not
optimal of course, but does revert to the method used by previous
Terraform releases until a better method can be implemented.

The second change is adding a preDestroyRefresh flag to the planning
process. This is checked in any location which evalCheckRules is called,
and lets us change the diagnosticSeverity of the output to only be
warnings, matching the behavior of a normal refresh plan.
2022-11-11 14:33:50 -05:00
Liam Cervante
0c7fda1906
Update HCL and go-cty to fix optional and default attributes (#32178)
* Add test cases to verify all the default and optional issues are fixed

* actually commit all the tests

* update go-cty

* Update hcl
2022-11-10 14:00:16 +00:00
hc-github-team-tf-core
38763a5694 Cleanup after v1.4.0-alpha20221109 release 2022-11-09 18:28:01 +00:00
hc-github-team-tf-core
9add90c256
Release v1.4.0-alpha20221109 2022-11-09 18:10:18 +00:00
Laura Pacilio
0227952ace
Merge pull request #31274 from irab/patch-1
Additional note on usage of single quotes for for_each resources
2022-11-09 11:08:58 -05:00
Ira
a32648aa53
Update website/docs/cli/commands/state/show.mdx
Co-authored-by: Laura Pacilio <83350965+laurapacilio@users.noreply.github.com>
2022-11-09 12:01:41 +13:00
Laura Pacilio
8664c9c1f8
Merge pull request #31991 from sigwinch28/patch-1
Document provider registry response property shasum
2022-11-08 17:15:28 -05:00
Joe Harrison
92719db198
Update website/docs/internals/provider-registry-protocol.mdx
Co-authored-by: Laura Pacilio <83350965+laurapacilio@users.noreply.github.com>
2022-11-08 11:04:14 +00:00
Laura Pacilio
a574e95dcd
Merge pull request #31834 from fungusakafungus/patch-1
Looks like a copy-paste error
2022-11-07 15:54:19 -05:00
Martin Atkins
1734e17cce
Update CHANGELOG.md 2022-11-04 16:21:32 -07:00
Martin Atkins
d0a35c60a7 providercache: Ignore lock-mismatching global cache entries
When we originally introduced the trust-on-first-use checksum locking
mechanism in v0.14, we had to make some tricky decisions about how it
should interact with the pre-existing optional read-through global cache
of provider packages:

The global cache essentially conflicts with the checksum locking because
if the needed provider is already in the cache then Terraform skips
installing the provider from upstream and therefore misses the opportunity
to capture the signed checksums published by the provider developer. We
can't use the signed checksums to verify a cache entry because the origin
registry protocol is still using the legacy ziphash scheme and that is
only usable for the original zipped provider packages and not for the
unpacked-layout cache directory. Therefore we decided to prioritize the
existing cache directory behavior at the expense of the lock file behavior,
making Terraform produce an incomplete lock file in that case.

Now that we've had some real-world experience with the lock file mechanism,
we can see that the chosen compromise was not ideal because it causes
"terraform init" to behave significantly differently in its lock file
update behavior depending on whether or not a particular provider is
already cached. By robbing Terraform of its opportunity to fetch the
official checksums, Terraform must generate a lock file that is inherently
non-portable, which is problematic for any team which works with the same
Terraform configuration on multiple different platforms.

This change addresses that problem by essentially flipping the decision so
that we'll prioritize the lock file behavior over the provider cache
behavior. Now a global cache entry is eligible for use if and only if the
lock file already contains a checksum that matches the cache entry. This
means that the first time a particular configuration sees a new provider
it will always be fetched from the configured installation source
(typically the origin registry) and record the checksums from that source.

On subsequent installs of the same provider version already locked,
Terraform will then consider the cache entry to be eligible and skip
re-downloading the same package.

This intentionally makes the global cache mechanism subordinate to the
lock file mechanism: the lock file must be populated in order for the
global cache to be effective. For those who have many separate
configurations which all refer to the same provider version, they will
need to re-download the provider once for each configuration in order to
gather the information needed to populate the lock file, whereas before
they would have only downloaded it for the _first_ configuration using
that provider.

This should therefore remove the most significant cause of folks ending
up with incomplete lock files that don't work for colleagues using other
platforms, and the expense of bypassing the cache for the first use of
each new package with each new configuration. This tradeoff seems
reasonable because otherwise such users would inevitably need to run
"terraform providers lock" separately anyway, and that command _always_
bypasses the cache. Although this change does decrease the hit rate of the
cache, if we subtract the never-cached downloads caused by
"terraform providers lock" then this is a net benefit overall, and does
the right thing by default without the need to run a separate command.
2022-11-04 16:18:15 -07:00
Brandon Croft
be5984d664
Merge pull request #32004 from hashicorp/brandonc/nested_attr_sensitive
fix: don't reveal nested attributes with sensitive schema
2022-11-02 16:18:04 -06:00
Matthew Garrell
4148dbf016
Merge pull request #32125 from hashicorp/fix-links-devdot
fix broken links
2022-11-02 15:05:51 -04:00
Martin Atkins
543a30283f
Update CHANGELOG.md 2022-11-02 09:11:23 -07:00
Martin Atkins
0170ed606c
Update CHANGELOG.md 2022-11-02 09:09:06 -07:00
Martin Atkins
241bd7cd83 Build with Go 1.19.3
This includes a small selection of security-related fixes which do not
urgently impact Terraform's behavior but do close some potential avenues
for unbounded resource usage or misbehavior with malicious input:

 - https://github.com/golang/go/issues/54853
 - https://github.com/golang/go/issues/55949
 - https://github.com/golang/go/issues/56284
2022-11-02 08:56:51 -07:00
kmoe
755757e8b2
build: exclude .go-version from imports check (#32141) 2022-11-02 15:49:01 +00:00
James Bardin
52d724d1d0
Merge pull request #32115 from hashicorp/jbardin/apply-refresh-plan
don't lose checks from refresh-only plan
2022-11-02 11:05:15 -04:00
James Bardin
1100eae89f use UIMode instead of 0 changes to detect refresh 2022-11-02 10:56:08 -04:00
James Bardin
cccfa5e4af
Merge pull request #32111 from hashicorp/jbardin/refresh-only-data-read
don't plan data source reads during refresh-only
2022-11-02 08:32:50 -04:00
Liam Cervante
6521355ba5
Convert variable types before applying defaults (#32027)
* Convert variable types before applying defaults

* revert change to unrelated test

* Add another test case to verify behaviour

* update go-cty

* Update internal/terraform/eval_variable.go

Co-authored-by: alisdair <alisdair@users.noreply.github.com>

Co-authored-by: alisdair <alisdair@users.noreply.github.com>
2022-11-02 09:38:23 +01:00
Graham Davison
6663cde619
Merge pull request #23965 from tpaschalis/disallow-s3-backend-key-trailing-slash
S3 Backend : Bucket key should not contain trailing slash
2022-11-01 13:56:43 -07:00
James Bardin
bb68075e8c
Merge pull request #32123 from hashicorp/jbardin/noop-apply-optimizations
Apply optimizations for handling of condition checks
2022-11-01 16:32:43 -04:00
James Bardin
efd77159dd use key data from plan method for apply 2022-11-01 16:18:38 -04:00
James Bardin
ffe2e3935e avoid re-writing state for noop applies
We need to avoid re-writing the state for every NoOp apply. We may
still be evaluating the instance to account for any side-effects in the
condition checks, however the state of the instance has not changes.
Re-writing the state is a non-current operation, which may require
encoding a fairly large instance state and re-serializing the entire
state blob, so it is best avoided if possible.
2022-11-01 16:18:38 -04:00
James Bardin
eb88ccbc7b only add NoOp nodes with conditions
ONly add NoOp changes to the apply graph if they have conditions which
need to be evaluated.
2022-11-01 16:18:38 -04:00
James Bardin
19152e7ba5 fix log mesage 2022-11-01 16:18:38 -04:00
James Bardin
eae246cfb5 normalize empty CheckResults fields in stateV4
Ensure that empty check results are normalized in state serialization to
prevent unexpected state changes from being written.

Because there is no consistent empty, null and omit_empty usage for
state structs, there's no good way to create a test which will fail
for future additions.
2022-11-01 16:18:38 -04:00
James Bardin
fa4c652013 changes are mutated during apply 2022-11-01 16:18:38 -04:00
James Bardin
b61c02da05 don't lose checks from refresh-only plan
If there are no changes, then there is no reason to create an apply
graph since all objects are known. We however do need the walk to match
the expected state structure. This is probably only cleanup of empty
nested modules and outputs, but some investigation is needed before
making the full change.

For now we can store the checks from the plan directly into the new
state, since the apply walk overwrote the results we had already.
2022-11-01 16:18:38 -04:00
Paschalis Tsilias
4cb355f3d6 S3 Backend : Bucket key should not contain trailing slash 2022-10-31 16:19:26 -07:00
Laura Pacilio
ec42b167d7 fix broken links 2022-10-31 14:46:15 -04:00
Tom Bamford
ff68c8d129
Merge pull request #31966 from kschu91/feature/azure-generic-oidc
backend/azurerm: add support for generic OIDC authentication
2022-10-31 11:25:36 +00:00
Sarah French
74e6bf08f1
Update CHANGELOG.md 2022-10-28 22:20:42 +01:00
Liam Nesteroff
5957d2657a
Update GCS backend docs for TF >=0.12 (#32065)
* Update gcs.mdx

Updated GCS remote backend to include the >=0.12 remote backend data source formatting (incl .output before output name)

* Update gcs.mdx

removed old data source example

* Update gcs.mdx

updated to local_file and output->outputs

* Update gcs.mdx

removed "outputs" from the pre 0.12 ref
2022-10-28 22:18:25 +01:00
Craig Wright
ab45c21cc1
Merge pull request #32114 from hashicorp/remove-noreviews-update
Update CONTRIBUTING.md
2022-10-28 12:08:32 -07:00
Craig Wright
3b8e97c38c
Update CONTRIBUTING.md
Removing the statement which does not reflect the current status for reviews of community-contributed pull requests.
2022-10-28 11:28:54 -07:00
James Bardin
300ad02937 don't plan data source reads during refresh-only
When executing a refresh-only plan, it is not valid to plan a data
source read. If the data source config is not known during planning, the
only valid update would be the prior state, if there is any.
2022-10-28 10:45:49 -04:00
Ira
c147389cf8
Update website/docs/cli/commands/state/show.mdx
Co-authored-by: Laura Pacilio <83350965+laurapacilio@users.noreply.github.com>
2022-10-26 11:32:28 +13:00
Brandon Croft
f5de1099ff
Merge pull request #31768 from hashicorp/brandonc/providers-estimate
Update the # public providers estimate in the Terraform Intro
2022-10-25 11:19:40 -06:00
Brandon Croft
43ade2b6a1
Update website/docs/intro/index.mdx 2022-10-25 10:45:30 -06:00
Laura Pacilio
2aaaf28b75
Merge pull request #31830 from sdinay/patch-2
Update links to deprecated aws_s3_bucket_object to aws_s3_object
2022-10-25 11:17:41 -04:00
Laura Pacilio
20b3e8e5a1
Merge pull request #31792 from mferraroni/doc-s3-fix
Modifies permissions needed to use s3 with dynamoDb locks
2022-10-25 11:15:54 -04:00
Laura Pacilio
5937389c6d
Merge pull request #31597 from LiranV/patch-1
Fix can function example
2022-10-25 11:08:37 -04:00
Laura Pacilio
fbfe5b5a87
Merge pull request #31508 from wzyboy/docs/unknwon-value
docs: fix typo regarding unknown values
2022-10-25 11:07:05 -04:00
Laura Pacilio
c3c6f8327f
Merge pull request #31149 from hashicorp/docs-for-each-list-toset
fix(docs): change set to list when recommending using toset()
2022-10-25 11:04:19 -04:00
Brandon Croft
bd744ad4e9
Unify all sensitive value plan output as "(sensitive value)"
Previously, there was mixed usage of "(sensitive)" and "(sensitive value)" and even though it was more common to see "(sensitive)", the thought is that it's a value we are hiding rather than describing something already shown.
2022-10-24 12:50:46 -06:00
Brandon Croft
076fccd8e7
fix: don't reveal nested attributes with sensitive schema 2022-10-24 12:50:46 -06:00
James Bardin
730756eca2
Merge pull request #32051 from hashicorp/jbardin/destroy-checkable-outputs
Clean up handling of check-related graph nodes
2022-10-20 15:40:23 -04:00
HashiBot
54de574e2b
chore: Update Digital Team Files (#32037)
* Update generated scripts (website-start.sh)

* Update generated website Makefile

* Update generated scripts (should-build.sh)

* Update generated scripts (website-build.sh)

* chore: update root `Makefile`

Co-authored-by: Kevin Wang <kwangsan@gmail.com>
2022-10-20 14:04:57 -04:00