This is to upgrade past the vulnerability described here:
https://github.com/advisories/GHSA-cfgp-2977-2fmm
Terraform does not seem to be significantly affected by it since our use
is primarily between Terraform Core and provider plugins where at worst
a provider could just make its own connection to Terraform malfunction.
However, this also appears to be a relatively low-risk upgrade.
This does force upgrading some of the Google Cloud Platform dependencies,
which the "gcs" (Google Cloud Storage) backend depends on, so there is
some minor risk to that backend but the upstream changes to those
dependencies do not seem to be significant.
* main: disambiguate arg ordering test
Make it extra clear what order of args we are asserting.
* command: fix plan -refresh=false test
The test for plan -refresh=false was not functioning, since ReadResource will not be called if the resource is not in prior state.
Add a new fixture directory with state, and also test the converse, to prevent regression.
* command: add test for refresh flag precedence
A consumer relies on the fact that running terraform plan -refresh=false -refresh true gives the same result as terraform plan -refresh=true.
Use the global providers.SchemaCache and update all schema access to the
providers.Schemas, except where the provider.GetProviderSchemaResponse
type name would be expected.
Some tests that reuse provider factories needed a little more careful
handling. Change the fixed func to only reset the provider on the first
call.
Add a single global schema cache for providers. This allows multiple
provider instances to share a single copy of the schema, and prevents
loading the schema multiple times for a given provider type during a
single command.
This does not currently work with some provider releases, which are
using GetProviderSchema to trigger certain initializations. A new server
capability will be introduced to trigger reloading their schemas, but
not store duplicate results.
A module output is generally not used during destroy, however it must be
evaluated when its value is used by a provider for configuration,
because that configuration is not stored between walks.
There was an oversight in the output expansion node where the output
node was not created because the operation was destroy, and module
outputs have nothing to destroy. This however skipped evaluation when
the output is needed by a provider as mentioned above. Because of the
way an implied plan is stored internally when executing `terraform
destroy`, this went unnoticed by the test.
Allowing the output to be evaluated during destroy fixes the issue, and
should be acceptable because an output is classified as temporary in the
graph, and will be pruned when not actually needed.
Update the existing test to serialize the plan, which triggers the
failure.
In order to ensure that transitive dependencies are connected even when
there are no instances for a resource, we need to route the references
through the config ("expand") node. This happens naturally by having the
expand node report its config references, however legacy configs can
contain self-referenced without the "self" identifier, so those need to
be filtered out.
