This minor release includes a number of security fixes and other small bug
fixes in the standard library and Go compiler.
The security fixes do not appear to involve functionality critical to
Terraform and so this is not an urgent upgrade, but still worth doing to
reset to a more recent baseline.
This changes which Go version we use for official releases and for
everyday development and testing.
At the time of this commit Go 1.20.1 is available but is not yet included
in goenv, the tool that we use in some environments for reacting
automatically to this file. I expect we'll upgrade to Go 1.20.1 very soon,
but this is a routine upgrade to the latest major release so that we can
start soaking in the new compiler and library behaviors throughout the
v1.5 development period.
Go 1.20 continues to support only Unicode 13, so we do not need to make
any changes to our supporting packages that also rely on Unicode data.
Go 1.19's "fmt" has some awareness of the new doc comment formatting
conventions and adjusts the presentation of the source comments to make
it clearer how godoc would interpret them. Therefore this commit includes
various updates made by "go fmt" to acheve that.
In line with our usual convention that we make stylistic/grammar/spelling
tweaks typically only when we're "in the area" changing something else
anyway, I also took this opportunity to review most of the comments that
this updated to see if there were any other opportunities to improve them.
There is no special reason to do this; we just typically adopt the latest
minor release of the Go toolchain for each new minor release of
Terraform CLI so that we can make use of its new library and language
features gradually over the subsequent patch releases.
Adopting early will give us more time to exercise this and catch any
wrinkles before the Terraform CLI v1.2 release.
This includes the addition of the new "//go:build" comment form in addition
to the legacy "// +build" notation, as produced by gofmt to ensure
consistent behavior between Go versions. The new directives are all
equivalent to what was present before, so there's no change in behavior.
Go 1.17 continues to use the Unicode 13 tables as in Go 1.16, so this
upgrade does not require also upgrading our Unicode-related dependencies.
This upgrade includes the following breaking changes which will also
appear as breaking changes for Terraform users, but that are consistent
with the Terraform v1.0 compatibility promises.
- On MacOS, Terraform now requires macOS 10.13 High Sierra or later.
This upgrade also includes the following breaking changes which will
appear as breaking changes for Terraform users that are inconsistent with
our compatibility promises, but have justified exceptions as follows:
- cidrsubnet, cidrhost, and cidrnetmask will now reject IPv4 CIDR
addresses whose decimal components have leading zeros, where previously
they would just silently ignore those leading zeros.
This is a security-motivated exception to our compatibility promises,
because some external systems interpret zero-prefixed octets as octal
numbers rather than decimal, and thus the previous lenient parsing could
lead to a different interpretation of the address between systems, and
thus potentially allow bypassing policy when configuring firewall rules
etc.
This upgrade also includes the following breaking changes which could
_potentially_ appear as breaking changes for Terraform users, but that do
not in practice for the reasons given:
- The Go net/url package no longer allows query strings with pairs
separated by semicolons instead of ampersands. This primarily affects
HTTP servers written in Go, and Terraform includes a special temporary
HTTP server as part of its implementation of OAuth for "terraform login",
but that server only needs to accept URLs created by Terraform itself
and Terraform does not generate any URLs that would be rejected.
Unfortunately at the moment I'm adding this the release isn't yet
available in the current version of goenv, but due to these including
security stuff and because we're about to make a Terraform release we're
letting this get slightly ahead of goenv on the assumption that it will
catch up shortly.
From the go release notes:
go1.14.3 (released 2020/05/14) includes fixes to cgo, the compiler, the
runtime, and the go/doc and math/big packages.
go1.14.4 (released 2020/06/01) includes fixes to the go doc command, the
runtime, and the encoding/json and os packages.
go1.14.5 (released 2020/07/14) includes security fixes to the
crypto/x509 and net/http packages.
go1.14.6 (released 2020/07/16) includes fixes to the go command, the
compiler, the linker, vet, and the database/sql, encoding/json,
net/http, reflect, and testing packages.
go1.14.7 (released 2020/08/06) includes security fixes to the
encoding/binary package.
https://golang.org/doc/devel/release.html#go1.14.minor
* update vendored azure sdk
* vendor giovanni storage sdk
* Add giovanni clients
* go mod vendor
* Swap to new storage sdk
* workable tests
* update .go-version to 1.14.2
* Tests working minus SAS
* Add SAS Token support
* Update vendor
* Passing tests
* Add date randomizer
* Captalize RG
* Remove random bits
* Update client var name
Co-authored-by: kt <kt@katbyte.me>
This implies some notable changes that will have a visible impact to
end-users of official Terraform releases:
- Terraform is no longer compatible with MacOS 10.10 Yosemite, and
requires at least 10.11 El Capitan. (Relatedly, Go 1.14 is planned to be
the last release to support El Capitan, so while that remains supported
for now, it's notable that Terraform 0.13 is likely to be the last major
release of Terraform supporting it, with 0.14 likely to further require
MacOS 10.12 Sierra.)
- Terraform is no longer compatible with FreeBSD 10.x, which has reached
end-of-life. Terraform now requires FreeBSD 11.2 or later.
- Terraform now supports TLS 1.3 when it makes connections to remote
services such as backends and module registries. Although TLS 1.3 is
backward-compatible in principle, some legacy systems reportedly work
incorrectly when attempting to negotiate it. (This change does not
affect outgoing requests made by provider plugins, though they will see
a similar change in behavior once built with Go 1.13 or later.)
- Ed25519 certificates are now supported for TLS 1.2 and 1.3 connections.
- On UNIX systems where "use-vc" is set in resolv.conf, TCP will now be
used for DNS resolution. This is unlikely to cause issues in practice
because a system set up in this way can presumably already reach its
nameservers over TCP (or else other applications would misbehave), but
could potentially lead to lookup failures in unusual situations where a
system only runs Terraform, has historically had "use-vc" in its
configuration, but yet is blocked from reaching its configured
nameservers over TCP.
- Some parts of Terraform now support Unicode 12.0 when working with
strings. However, notably the Terraform Language itself continues to
use the text segmentation tables from Unicode 9.0, which means it lacks
up-to-date support for recognizing modern emoji combining forms as
single characters. (We may wish to upgrade the text segmentation tables
to Unicode 12.0 tables in a later commit, to restore consistency.)
This also includes some changes to the contents of "vendor", and
particularly to the format of vendor/modules.txt, per the changes to
vendoring in the Go 1.14 toolchain. This new syntax is activated by the
specification of "go 1.14" in the go.mod file.
Finally, the exact format of error messages from the net/http library has
changed since Go 1.12, and so a couple of our tests needed updates to
their expected error messages to match that.
This is the latest 1.12 minor release at the time of writing. We are not
yet upgrading to Go 1.13 because it ends support for MacOS 10.10 and
earlier (Yosemite) and for versions of FreeBSD prior to 11.2, and so we
need to make that switch with care to properly phase those out as
supported platforms in Terraform too.
This is a minor release of Go that does not include any changes that
affect Terraform's behavior.
This does include a fix for golang/go#31084 that could potentially affect
HCL arithmetic (via math/big) on aarch64, but we do not currently build
Terraform for aarch64 so it cannot have affected any previous releases.
This this includes some security fixes that don't impact Terraform along
with a number of general improvements and fixes in the Go toolchain that
don't appear to affect Terraform behavior.
- URL parsing (such as in the "source" argument in a "module" block) now
validates more strictly the port portion, rejecting non-numeric ports.
Previously this could potentially lead to parts of the URL being
silently ignored.
- The temporary callback server for the forthcoming OAuth client
implementation in "terraform login" would otherwise have been vulnerable
to local (on the same host) denial of service attacks, which is not
a common attack vector but good to fix anyway.
An earlier commit incorrectly updated some versions in go.mod without also
updating the vendor tree, so this also rolls those back to where they used
to be so that we can roll them forward carefully and make sure the tests
actually pass. (If we just accept these new versions as specified the
tests do not pass, so some work is required to fix those regressions.)
