Commit Graph

27190 Commits

Author SHA1 Message Date
Paul Thrasher
d380f5873c
Allow runs to continue on tfce error
A cost estimation error does not actually stop a run, so the run was continuing in the background after the cli exits, causing confusion. This change matches the UI behavior.
2020-10-16 17:27:04 -07:00
Martin Atkins
30204ecded command/cliconfig: Allow development overrides for providers
For normal provider installation we want to associate each provider with
a selected version number and find a suitable package for that version
that conforms to the official hashes for that release.

Those requirements are very onerous for a provider developer currently
testing a not-yet-released build, though. To allow for that case this new
CLI configuration feature allows overriding specific providers to refer
to give local filesystem directories.

Any provider overridden in this way is not subject to the usual
restrictions about selected versions or checksum conformance, and
activating an override won't cause any changes to the selections recorded
in the lock file because it's intended to be a temporary setting for one
developer only.

This is, in a sense, a spiritual successor of an old capability we had to
override specific plugins in the CLI configuration file. There were
some vestiges of that left in the main package and CLI config package
but nothing has actually been honoring them for several versions now and
so this commit removes them to avoid confusion with the new mechanism.
2020-10-16 14:31:15 -07:00
James Bardin
98dc399062
Merge pull request #26606 from hashicorp/jbardin/proposed-set-comparison
More precise handling of lists and maps within sets for ProposedNewObject
2020-10-16 16:21:12 -04:00
James Bardin
e3804810a9 Accept JSON encoded dynamic values from providers
Core was previously ignoring JSON-encoded dynamic values, but these are
technically supported, so we must either error or accept the value.
Since we already have the decoder for Json state, it's minimal effort to
support this on all plugin methods too.

This change also gives providers an easy way to implement the
UpgradeResourceState method. The obvious implementation of returning the same
JSON-encoded value has tripped up a few providers not using the legacy
SDK already, and we should have at least indicated that the value was
being lost.
2020-10-16 16:19:11 -04:00
Alisdair McDiarmid
4f53234d8c terraform: Hide maybe-sensitive provisioner output
If the provisioner configuration includes sensitive values, it's a
reasonable assumption that we should suppress its log output. Obvious
examples where this makes sense include echoing a secret to a file using
local-exec or remote-exec.

This commit adds tests for both logging output from provisioners with
non-sensitive configuration, and suppressing logs for provisioners with
sensitive values in configuration.

Note that we do not suppress logs if connection info contains sensitive
information, as provisioners should not be logging connection
information under any circumstances.
2020-10-16 15:29:44 -04:00
Alisdair McDiarmid
9c580335e3 terraform: Unmark provisioner arguments
If provisioner configuration or connection info includes sensitive
values, we need to unmark them before calling the provisioner. Failing
to do so causes serialization to error.

Unlike resources, we do not need to capture marked paths here, so we
just discard the marks.
2020-10-16 15:12:09 -04:00
James Bardin
77af322c1c handle non-null, but empty NestingMap in a set 2020-10-15 21:21:14 -04:00
James Bardin
b59c64245b refactor ifs to reduce indentation 2020-10-15 20:55:56 -04:00
James Bardin
f128b8c4fa take dynamic types into account when comparing set
If a NestingList or NestingMap contains a dynamic type, they must be
handled as a cty.Tuple and cty.Object respectively, because the elements
may not have precisely matching types.
2020-10-15 20:07:00 -04:00
Alexander Ovechkin
d7db008df2 added empty list test case 2020-10-15 19:21:41 -04:00
Alexander Ovechkin
8fbb4d0163 Converting ListVal to ListVal instead of TupleVal in setElementCompareValue 2020-10-15 19:21:41 -04:00
Pam Selle
a9823515ec Update context apply test 2020-10-15 17:38:09 -04:00
Pam Selle
a1a46425bd Set and single test coverage 2020-10-15 17:25:53 -04:00
Pam Selle
a5c5d2c28c Cover NestingMap case 2020-10-15 17:19:27 -04:00
Pam Selle
f790332bff NestingList support tested 2020-10-15 16:55:11 -04:00
Pam Selle
10cffc477d Basic test for GetResource, plus sensitivity 2020-10-15 16:50:57 -04:00
Kristin Laemmert
31033001a8
Update CHANGELOG.md 2020-10-15 11:38:46 -04:00
Tony Carmichael
db86f0d182
Merge pull request #26595 from hashicorp/aicarmic-patch-1
Update community-index.html.markdown
2020-10-15 09:25:26 -06:00
Tony Carmichael
9ff007d322
Update community-index.html.markdown 2020-10-15 08:57:33 -06:00
Tony Carmichael
49a3d14b3b
Update community-index.html.markdown
Updates to community listings now that registry has been GA for a few months.
2020-10-15 08:55:57 -06:00
hashicorp-ci
33cc81e65e Cleanup after v0.14.0-beta1 release 2020-10-15 14:19:40 +00:00
hashicorp-ci
0671bc7eab
Release v0.14.0-beta1 2020-10-15 14:03:43 +00:00
James Bardin
1ecd86d08e
Merge pull request #26155 from hashicorp/unused-env-var
Remove unused env var TF_SKIP_PROVIDER_VERIFY
2020-10-14 18:03:22 -04:00
James Bardin
ffbdd72196
Merge pull request #26487 from hashicorp/jbardin/shell-escape
update taint command example
2020-10-14 17:59:33 -04:00
Pam Selle
ee9ec8a193 Reordering so attributes are first (understandability) 2020-10-14 17:45:57 -04:00
Pam Selle
e44e03b283 If our block doesn't contain any sensitive attrs, skip recursing into it 2020-10-14 17:44:50 -04:00
Pam Selle
f60ae7ac08 Mark sensitive attributes in blocks
This implements marking sensitive attributes within
blocks when referenced by adding recursive calls
to get more paths from blocks' attributes
2020-10-14 17:37:06 -04:00
James Bardin
014fb898d5
Merge pull request #26589 from hashicorp/jbardin/vet-fixes
Fixes for go vet
2020-10-14 16:28:35 -04:00
Pam Selle
5e2905d222 Mark attributes providers mark as sensitive
This updates GetResource so that the value
returned has marks where the provider's schema
has marked an attribute as sensitive
2020-10-14 15:30:16 -04:00
James Bardin
98d01615f6 unreachable 2020-10-14 14:09:17 -04:00
James Bardin
c61a893590 unused tests
these are no longer relevant
2020-10-14 14:08:09 -04:00
James Bardin
5e9425b562 unreachable 2020-10-14 14:06:00 -04:00
James Bardin
b8df47c9ac add struct field names 2020-10-14 14:05:41 -04:00
Alisdair McDiarmid
8bd940d024 go get github.com/mattn/go-colorable@v0.1.8 2020-10-14 13:46:54 -04:00
Alisdair McDiarmid
b1500db6b9
Merge pull request #26585 from hashicorp/alisdair/update-hcl-cty
Update hcl and go-cty dependencies
2020-10-14 13:42:46 -04:00
James Bardin
657dd33008
Merge pull request #26557 from remilapeyre/skip-ddl-commands
Add skip_table_creation and skip_index_creation options to the pg backend
2020-10-14 13:36:26 -04:00
James Bardin
08abf5d561
Merge pull request #26577 from hashicorp/jbardin/decoder-spec
Memoize Block.DecoderSpec
2020-10-14 12:45:23 -04:00
James Bardin
e27ecba6e4 extended cache comments 2020-10-14 12:45:06 -04:00
Petros Kolyvas
dc48450e79
Provisioner contribution guide updates (#26538)
An update on the deprecated state of vendor provisioners for our contribution guide.
2020-10-14 12:30:40 -04:00
Martin Atkins
0009768c7f internal/depsfile: Update the dependency lock file atomically
In this case, "atomic" means that there will be no situation where the
file contains only part of the newContent data, and therefore other
software monitoring the file for changes (using a mechanism like inotify)
won't encounter a truncated file.

It does _not_ mean that there can't be existing filehandles open against
the old version of the file. On Windows systems the write will fail in
that case, but on Unix systems the write will typically succeed but leave
the existing filehandles still pointing at the old version of the file.
They'll need to reopen the file in order to see the new content.
2020-10-14 08:01:19 -07:00
Martin Atkins
55e6f64977 internal/depsfile: Factor out our atomic file replacement logic
This originated in the cliconfig code to write out credentials files. The
Windows implementation of this in particular was quite onerous to get
right because it needs a very specific sequence of operations to avoid
running into exclusive file locks, and so by factoring this out with
only cosmetic modification we can avoid repeating all of that engineering
effort for other atomic file writing use-cases.
2020-10-14 08:01:19 -07:00
Martin Atkins
e70ab09bf1 command: new cache directory .terraform/providers for providers
Terraform v0.10 introduced .terraform/plugins as a cache directory for
automatically-installed plugins, Terraform v0.13 later reorganized the
directory structure inside but retained its purpose as a cache.

The local cache used to also serve as a record of specifically which
packages were selected in a particular working directory, with the intent
that a second run of "terraform init" would always select the same
packages again. That meant that in some sense it behaved a bit like a
local filesystem mirror directory, even though that wasn't its intended
purpose.

Due to some unfortunate miscommunications, somewhere a long the line we
published some documentation that _recommended_ using the cache directory
as if it were a filesystem mirror directory when working with Terraform
Cloud. That was really only working as an accident of implementation
details, and Terraform v0.14 is now going to break that because the source
of record for the currently-selected provider versions is now the
public-facing dependency lock file rather than the contents of an existing
local cache directory on disk.

After some consideration of how to move forward here, this commit
implements a compromise that tries to avoid silently doing anything
surprising while still giving useful guidance to folks who were previously
using the unsupported strategy. Specifically:

- The local cache directory will now be .terraform/providers rather than
  .terraform/plugins, because .terraform/plugins is effectively "poisoned"
  by the incorrect usage that we can't reliably distinguish from prior
  version correct usage.

- The .terraform/plugins directory is now the "legacy cache directory". It
  is intentionally _not_ now a filesystem mirror directory, because that
  would risk incorrectly interpreting providers automatically installed
  by Terraform v0.13 as if they were a local mirror, and thus upgrades
  and checksum fetches from the origin registry would be blocked.

- Because of the previous two points, someone who _was_ trying to use the
  legacy cache directory as a filesystem mirror would see installation
  fail for any providers they manually added to the legacy directory.

  To avoid leaving that user stumped as to what went wrong, there's a
  heuristic for the case where a non-official provider fails installation
  and yet we can see it in the legacy cache directory. If that heuristic
  matches then we'll produce a warning message hinting to move the
  provider under the terraform.d/plugins directory, which is a _correct_
  location for "bundled" provider plugins that belong only to a single
  configuration (as opposed to being installed globally on a system).

This does unfortunately mean that anyone who was following the
incorrectly-documented pattern will now encounter an error (and the
aforementioned warning hint) after upgrading to Terraform v0.14. This
seems like the safest compromise because Terraform can't automatically
infer the intent of files it finds in .terraform/plugins in order to
decide automatically how best to handle them.

The internals of the .terraform directory are always considered
implementation detail for a particular Terraform version and so switching
to a new directory for the _actual_ cache directory fits within our usual
set of guarantees, though it's definitely non-ideal in isolation but okay
when taken in the broader context of this problem, where the alternative
would be silent misbehavior when upgrading.
2020-10-14 07:53:41 -07:00
James Bardin
bb76c3b50c
Update configs/configschema/decoder_spec.go
Co-authored-by: Kristin Laemmert <mildwonkey@users.noreply.github.com>
2020-10-14 10:33:44 -04:00
Alisdair McDiarmid
948ab5ebca go get github.com/zclconf/go-cty@e5225636c8c2 2020-10-14 10:17:22 -04:00
Alisdair McDiarmid
a647b11af8 go get github.com/hashicorp/hcl/v2@v2.7.0 2020-10-14 10:16:42 -04:00
James Bardin
dd8a8bdea1 add benchmark used for DecoderSpec
Not a great benchmark, but record it here for posterity. Practical
testing with the AWS provider gives us a 98% speedup for simple plans.
2020-10-14 09:19:26 -04:00
James Bardin
d40e2fb8d1 cache DecoderSpec calls
DecoderSpec may be called many times, and deeply recursive calls are
expensive. Since we cannot synchronize the Blocks themselves due to them
being copied in parts of the code, we use a separate cache to store the
generated Specs.
2020-10-14 09:19:26 -04:00
James Bardin
d3307f4864
Merge pull request #26584 from hashicorp/jbardin/var-tests
re-enable and fix module variable tests
2020-10-14 09:16:59 -04:00
James Bardin
2e35ac12f3
Merge pull request #26583 from hashicorp/jbardin/go-cmp
update go-cmp
2020-10-14 09:12:44 -04:00
James Bardin
073beb90a6 re-enable and fix module variable tests
A few tests were inadvertently renamed, causing them to be be skipped.
For some reason this is not caught by the `vet` pass that happens during
normal testing.
2020-10-14 09:10:37 -04:00