mirror of
https://github.com/opentofu/opentofu.git
synced 2025-01-16 11:42:58 -06:00
df578afd7e
In historical versions of Terraform the responsibility to check this was inside the terraform.NewContext function, along with various other assorted concerns that made that function particularly complicated. More recently, we reduced the responsibility of the "terraform" package only to instantiating particular named plugins, assuming that its caller is responsible for selecting appropriate versions of any providers that _are_ external. However, until this commit we were just assuming that "terraform init" had correctly selected appropriate plugins and recorded them in the lock file, and so nothing was dealing with the problem of ensuring that there haven't been any changes to the lock file or config since the most recent "terraform init" which would cause us to need to re-evaluate those decisions. Part of the game here is to slightly extend the role of the dependency locks object to also carry information about a subset of provider addresses whose lock entries we're intentionally disregarding as part of the various little edge-case features we have for overridding providers: dev_overrides, "unmanaged providers", and the testing overrides in our own unit tests. This is an in-memory-only annotation, never included in the serialized plan files on disk. I had originally intended to create a new package to encapsulate all of this plugin-selection logic, including both the version constraint checking here and also the handling of the provider factory functions, but as an interim step I've just made version constraint consistency checks the responsibility of the backend/local package, which means that we'll always catch problems as part of preparing for local operations, while not imposing these additional checks on commands that _don't_ run local operations, such as "terraform apply" when in remote operations mode.
399 lines
16 KiB
Go
399 lines
16 KiB
Go
package depsfile
|
|
|
|
import (
|
|
"fmt"
|
|
"sort"
|
|
|
|
"github.com/hashicorp/terraform/internal/addrs"
|
|
"github.com/hashicorp/terraform/internal/getproviders"
|
|
)
|
|
|
|
// Locks is the top-level type representing the information retained in a
|
|
// dependency lock file.
|
|
//
|
|
// Locks and the other types used within it are mutable via various setter
|
|
// methods, but they are not safe for concurrent modifications, so it's the
|
|
// caller's responsibility to prevent concurrent writes and writes concurrent
|
|
// with reads.
|
|
type Locks struct {
|
|
providers map[addrs.Provider]*ProviderLock
|
|
|
|
// overriddenProviders is a subset of providers which we might be tracking
|
|
// in field providers but whose lock information we're disregarding for
|
|
// this particular run due to some feature that forces Terraform to not
|
|
// use a normally-installed plugin for it. For example, the "provider dev
|
|
// overrides" feature means that we'll be using an arbitrary directory on
|
|
// disk as the package, regardless of what might be selected in "providers".
|
|
//
|
|
// overriddenProviders is an in-memory-only annotation, never stored as
|
|
// part of a lock file and thus not persistent between Terraform runs.
|
|
// The CLI layer is generally the one responsible for populating this,
|
|
// by calling SetProviderOverridden in response to CLI Configuration
|
|
// settings, environment variables, or whatever similar sources.
|
|
overriddenProviders map[addrs.Provider]struct{}
|
|
|
|
// TODO: In future we'll also have module locks, but the design of that
|
|
// still needs some more work and we're deferring that to get the
|
|
// provider locking capability out sooner, because it's more common to
|
|
// directly depend on providers maintained outside your organization than
|
|
// modules maintained outside your organization.
|
|
|
|
// sources is a copy of the map of source buffers produced by the HCL
|
|
// parser during loading, which we retain only so that the caller can
|
|
// use it to produce source code snippets in error messages.
|
|
sources map[string][]byte
|
|
}
|
|
|
|
// NewLocks constructs and returns a new Locks object that initially contains
|
|
// no locks at all.
|
|
func NewLocks() *Locks {
|
|
return &Locks{
|
|
providers: make(map[addrs.Provider]*ProviderLock),
|
|
|
|
// no "sources" here, because that's only for locks objects loaded
|
|
// from files.
|
|
}
|
|
}
|
|
|
|
// Provider returns the stored lock for the given provider, or nil if that
|
|
// provider currently has no lock.
|
|
func (l *Locks) Provider(addr addrs.Provider) *ProviderLock {
|
|
return l.providers[addr]
|
|
}
|
|
|
|
// AllProviders returns a map describing all of the provider locks in the
|
|
// receiver.
|
|
func (l *Locks) AllProviders() map[addrs.Provider]*ProviderLock {
|
|
// We return a copy of our internal map so that future calls to
|
|
// SetProvider won't modify the map we're returning, or vice-versa.
|
|
ret := make(map[addrs.Provider]*ProviderLock, len(l.providers))
|
|
for k, v := range l.providers {
|
|
ret[k] = v
|
|
}
|
|
return ret
|
|
}
|
|
|
|
// SetProvider creates a new lock or replaces the existing lock for the given
|
|
// provider.
|
|
//
|
|
// SetProvider returns the newly-created provider lock object, which
|
|
// invalidates any ProviderLock object previously returned from Provider or
|
|
// SetProvider for the given provider address.
|
|
//
|
|
// The ownership of the backing array for the slice of hashes passes to this
|
|
// function, and so the caller must not read or write that backing array after
|
|
// calling SetProvider.
|
|
//
|
|
// Only lockable providers can be passed to this method. If you pass a
|
|
// non-lockable provider address then this function will panic. Use
|
|
// function ProviderIsLockable to determine whether a particular provider
|
|
// should participate in the version locking mechanism.
|
|
func (l *Locks) SetProvider(addr addrs.Provider, version getproviders.Version, constraints getproviders.VersionConstraints, hashes []getproviders.Hash) *ProviderLock {
|
|
if !ProviderIsLockable(addr) {
|
|
panic(fmt.Sprintf("Locks.SetProvider with non-lockable provider %s", addr))
|
|
}
|
|
|
|
new := NewProviderLock(addr, version, constraints, hashes)
|
|
l.providers[new.addr] = new
|
|
return new
|
|
}
|
|
|
|
// SetProviderOverridden records that this particular Terraform process will
|
|
// not pay attention to the recorded lock entry for the given provider, and
|
|
// will instead access that provider's functionality in some other special
|
|
// way that isn't sensitive to provider version selections or checksums.
|
|
//
|
|
// This is an in-memory-only annotation which lives only inside a particular
|
|
// Locks object, and is never persisted as part of a saved lock file on disk.
|
|
// It's valid to still use other methods of the reciever to access
|
|
// already-stored lock information and to update lock information for an
|
|
// overridden provider, but some callers may need to use ProviderIsOverridden
|
|
// to selectively disregard stored lock information for overridden providers,
|
|
// depending on what they intended to use the lock information for.
|
|
func (l *Locks) SetProviderOverridden(addr addrs.Provider) {
|
|
if l.overriddenProviders == nil {
|
|
l.overriddenProviders = make(map[addrs.Provider]struct{})
|
|
}
|
|
l.overriddenProviders[addr] = struct{}{}
|
|
}
|
|
|
|
// ProviderIsOverridden returns true only if the given provider address was
|
|
// previously registered as overridden by calling SetProviderOverridden.
|
|
func (l *Locks) ProviderIsOverridden(addr addrs.Provider) bool {
|
|
_, ret := l.overriddenProviders[addr]
|
|
return ret
|
|
}
|
|
|
|
// SetSameOverriddenProviders updates the receiver to mark as overridden all
|
|
// of the same providers already marked as overridden in the other given locks.
|
|
//
|
|
// This allows propagating override information between different lock objects,
|
|
// as if calling SetProviderOverridden for each address already overridden
|
|
// in the other given locks. If the reciever already has overridden providers,
|
|
// SetSameOverriddenProviders will preserve them.
|
|
func (l *Locks) SetSameOverriddenProviders(other *Locks) {
|
|
if other == nil {
|
|
return
|
|
}
|
|
for addr := range other.overriddenProviders {
|
|
l.SetProviderOverridden(addr)
|
|
}
|
|
}
|
|
|
|
// NewProviderLock creates a new ProviderLock object that isn't associated
|
|
// with any Locks object.
|
|
//
|
|
// This is here primarily for testing. Most callers should use Locks.SetProvider
|
|
// to construct a new provider lock and insert it into a Locks object at the
|
|
// same time.
|
|
//
|
|
// The ownership of the backing array for the slice of hashes passes to this
|
|
// function, and so the caller must not read or write that backing array after
|
|
// calling NewProviderLock.
|
|
//
|
|
// Only lockable providers can be passed to this method. If you pass a
|
|
// non-lockable provider address then this function will panic. Use
|
|
// function ProviderIsLockable to determine whether a particular provider
|
|
// should participate in the version locking mechanism.
|
|
func NewProviderLock(addr addrs.Provider, version getproviders.Version, constraints getproviders.VersionConstraints, hashes []getproviders.Hash) *ProviderLock {
|
|
if !ProviderIsLockable(addr) {
|
|
panic(fmt.Sprintf("Locks.NewProviderLock with non-lockable provider %s", addr))
|
|
}
|
|
|
|
// Normalize the hashes into lexical order so that we can do straightforward
|
|
// equality tests between different locks for the same provider. The
|
|
// hashes are logically a set, so the given order is insignificant.
|
|
sort.Slice(hashes, func(i, j int) bool {
|
|
return string(hashes[i]) < string(hashes[j])
|
|
})
|
|
|
|
// This is a slightly-tricky in-place deduping to avoid unnecessarily
|
|
// allocating a new array in the common case where there are no duplicates:
|
|
// we iterate over "hashes" at the same time as appending to another slice
|
|
// with the same backing array, relying on the fact that deduping can only
|
|
// _skip_ elements from the input, and will never generate additional ones
|
|
// that would cause the writer to get ahead of the reader. This also
|
|
// assumes that we already sorted the items, which means that any duplicates
|
|
// will be consecutive in the sequence.
|
|
dedupeHashes := hashes[:0]
|
|
prevHash := getproviders.NilHash
|
|
for _, hash := range hashes {
|
|
if hash != prevHash {
|
|
dedupeHashes = append(dedupeHashes, hash)
|
|
prevHash = hash
|
|
}
|
|
}
|
|
|
|
return &ProviderLock{
|
|
addr: addr,
|
|
version: version,
|
|
versionConstraints: constraints,
|
|
hashes: dedupeHashes,
|
|
}
|
|
}
|
|
|
|
// ProviderIsLockable returns true if the given provider is eligible for
|
|
// version locking.
|
|
//
|
|
// Currently, all providers except builtin and legacy providers are eligible
|
|
// for locking.
|
|
func ProviderIsLockable(addr addrs.Provider) bool {
|
|
return !(addr.IsBuiltIn() || addr.IsLegacy())
|
|
}
|
|
|
|
// Sources returns the source code of the file the receiver was generated from,
|
|
// or an empty map if the receiver wasn't generated from a file.
|
|
//
|
|
// This return type matches the one expected by HCL diagnostics printers to
|
|
// produce source code snapshots, which is the only intended use for this
|
|
// method.
|
|
func (l *Locks) Sources() map[string][]byte {
|
|
return l.sources
|
|
}
|
|
|
|
// Equal returns true if the given Locks represents the same information as
|
|
// the receiver.
|
|
//
|
|
// Equal explicitly _does not_ consider the equality of version constraints
|
|
// in the saved locks, because those are saved only as hints to help the UI
|
|
// explain what's changed between runs, and are never used as part of
|
|
// dependency installation decisions.
|
|
func (l *Locks) Equal(other *Locks) bool {
|
|
if len(l.providers) != len(other.providers) {
|
|
return false
|
|
}
|
|
for addr, thisLock := range l.providers {
|
|
otherLock, ok := other.providers[addr]
|
|
if !ok {
|
|
return false
|
|
}
|
|
|
|
if thisLock.addr != otherLock.addr {
|
|
// It'd be weird to get here because we already looked these up
|
|
// by address above.
|
|
return false
|
|
}
|
|
if thisLock.version != otherLock.version {
|
|
// Equality rather than "Version.Same" because changes to the
|
|
// build metadata are significant for the purpose of this function:
|
|
// it's a different package even if it has the same precedence.
|
|
return false
|
|
}
|
|
|
|
// Although "hashes" is declared as a slice, it's logically an
|
|
// unordered set. However, we normalize the slice of hashes when
|
|
// recieving it in NewProviderLock, so we can just do a simple
|
|
// item-by-item equality test here.
|
|
if len(thisLock.hashes) != len(otherLock.hashes) {
|
|
return false
|
|
}
|
|
for i := range thisLock.hashes {
|
|
if thisLock.hashes[i] != otherLock.hashes[i] {
|
|
return false
|
|
}
|
|
}
|
|
}
|
|
// We don't need to worry about providers that are in "other" but not
|
|
// in the receiver, because we tested the lengths being equal above.
|
|
|
|
return true
|
|
}
|
|
|
|
// EqualProviderAddress returns true if the given Locks have the same provider
|
|
// address as the receiver. This doesn't check version and hashes.
|
|
func (l *Locks) EqualProviderAddress(other *Locks) bool {
|
|
if len(l.providers) != len(other.providers) {
|
|
return false
|
|
}
|
|
|
|
for addr := range l.providers {
|
|
_, ok := other.providers[addr]
|
|
if !ok {
|
|
return false
|
|
}
|
|
}
|
|
|
|
return true
|
|
}
|
|
|
|
// Empty returns true if the given Locks object contains no actual locks.
|
|
//
|
|
// UI code might wish to use this to distinguish a lock file being
|
|
// written for the first time from subsequent updates to that lock file.
|
|
func (l *Locks) Empty() bool {
|
|
return len(l.providers) == 0
|
|
}
|
|
|
|
// DeepCopy creates a new Locks that represents the same information as the
|
|
// receiver but does not share memory for any parts of the structure that.
|
|
// are mutable through methods on Locks.
|
|
//
|
|
// Note that this does _not_ create deep copies of parts of the structure
|
|
// that are technically mutable but are immutable by convention, such as the
|
|
// array underlying the slice of version constraints. Callers may mutate the
|
|
// resulting data structure only via the direct methods of Locks.
|
|
func (l *Locks) DeepCopy() *Locks {
|
|
ret := NewLocks()
|
|
for addr, lock := range l.providers {
|
|
var hashes []getproviders.Hash
|
|
if len(lock.hashes) > 0 {
|
|
hashes = make([]getproviders.Hash, len(lock.hashes))
|
|
copy(hashes, lock.hashes)
|
|
}
|
|
ret.SetProvider(addr, lock.version, lock.versionConstraints, hashes)
|
|
}
|
|
return ret
|
|
}
|
|
|
|
// ProviderLock represents lock information for a specific provider.
|
|
type ProviderLock struct {
|
|
// addr is the address of the provider this lock applies to.
|
|
addr addrs.Provider
|
|
|
|
// version is the specific version that was previously selected, while
|
|
// versionConstraints is the constraint that was used to make that
|
|
// selection, which we can potentially use to hint to run
|
|
// e.g. terraform init -upgrade if a user has changed a version
|
|
// constraint but the previous selection still remains valid.
|
|
// "version" is therefore authoritative, while "versionConstraints" is
|
|
// just for a UI hint and not used to make any real decisions.
|
|
version getproviders.Version
|
|
versionConstraints getproviders.VersionConstraints
|
|
|
|
// hashes contains zero or more hashes of packages or package contents
|
|
// for the package associated with the selected version across all of
|
|
// the supported platforms.
|
|
//
|
|
// hashes can contain a mixture of hashes in different formats to support
|
|
// changes over time. The new-style hash format is to have a string
|
|
// starting with "h" followed by a version number and then a colon, like
|
|
// "h1:" for the first hash format version. Other hash versions following
|
|
// this scheme may come later. These versioned hash schemes are implemented
|
|
// in the getproviders package; for example, "h1:" is implemented in
|
|
// getproviders.HashV1 .
|
|
//
|
|
// There is also a legacy hash format which is just a lowercase-hex-encoded
|
|
// SHA256 hash of the official upstream .zip file for the selected version.
|
|
// We'll allow as that a stop-gap until we can upgrade Terraform Registry
|
|
// to support the new scheme, but is non-ideal because we can verify it only
|
|
// when we have the original .zip file exactly; we can't verify a local
|
|
// directory containing the unpacked contents of that .zip file.
|
|
//
|
|
// We ideally want to populate hashes for all available platforms at
|
|
// once, by referring to the signed checksums file in the upstream
|
|
// registry. In that ideal case it's possible to later work with the same
|
|
// configuration on a different platform while still verifying the hashes.
|
|
// However, installation from any method other than an origin registry
|
|
// means we can only populate the hash for the current platform, and so
|
|
// it won't be possible to verify a subsequent installation of the same
|
|
// provider on a different platform.
|
|
hashes []getproviders.Hash
|
|
}
|
|
|
|
// Provider returns the address of the provider this lock applies to.
|
|
func (l *ProviderLock) Provider() addrs.Provider {
|
|
return l.addr
|
|
}
|
|
|
|
// Version returns the currently-selected version for the corresponding provider.
|
|
func (l *ProviderLock) Version() getproviders.Version {
|
|
return l.version
|
|
}
|
|
|
|
// VersionConstraints returns the version constraints that were recorded as
|
|
// being used to choose the version returned by Version.
|
|
//
|
|
// These version constraints are not authoritative for future selections and
|
|
// are included only so Terraform can detect if the constraints in
|
|
// configuration have changed since a selection was made, and thus hint to the
|
|
// user that they may need to run terraform init -upgrade to apply the new
|
|
// constraints.
|
|
func (l *ProviderLock) VersionConstraints() getproviders.VersionConstraints {
|
|
return l.versionConstraints
|
|
}
|
|
|
|
// AllHashes returns all of the package hashes that were recorded when this
|
|
// lock was created. If no hashes were recorded for that platform, the result
|
|
// is a zero-length slice.
|
|
//
|
|
// If your intent is to verify a package against the recorded hashes, use
|
|
// PreferredHashes to get only the hashes which the current version
|
|
// of Terraform considers the strongest of the available hashing schemes, one
|
|
// of which must match in order for verification to be considered successful.
|
|
//
|
|
// Do not modify the backing array of the returned slice.
|
|
func (l *ProviderLock) AllHashes() []getproviders.Hash {
|
|
return l.hashes
|
|
}
|
|
|
|
// PreferredHashes returns a filtered version of the AllHashes return value
|
|
// which includes only the strongest of the availabile hash schemes, in
|
|
// case legacy hash schemes are deprecated over time but still supported for
|
|
// upgrade purposes.
|
|
//
|
|
// At least one of the given hashes must match for a package to be considered
|
|
// valud.
|
|
func (l *ProviderLock) PreferredHashes() []getproviders.Hash {
|
|
return getproviders.PreferredHashes(l.hashes)
|
|
}
|