mirror of
https://github.com/opentofu/opentofu.git
synced 2025-01-15 19:22:46 -06:00
c5c1f31db3
When using the enhanced remote backend, a subset of all Terraform operations are supported. Of these, only plan and apply can be executed on the remote infrastructure (e.g. Terraform Cloud). Other operations run locally and use the remote backend for state storage. This causes problems when the local version of Terraform does not match the configured version from the remote workspace. If the two versions are incompatible, an `import` or `state mv` operation can cause the remote workspace to be unusable until a manual fix is applied. To prevent this from happening accidentally, this commit introduces a check that the local Terraform version and the configured remote workspace Terraform version are compatible. This check is skipped for commands which do not write state, and can also be disabled by the use of a new command-line flag, `-ignore-remote-version`. Terraform version compatibility is defined as: - For all releases before 0.14.0, local must exactly equal remote, as two different versions cannot share state; - 0.14.0 to 1.0.x are compatible, as we will not change the state version number until at least Terraform 1.1.0; - Versions after 1.1.0 must have the same major and minor versions, as we will not change the state version number in a patch release. If the two versions are incompatible, a diagnostic is displayed, advising that the error can be suppressed with `-ignore-remote-version`. When this flag is used, the diagnostic is still displayed, but as a warning instead of an error. Commands which will not write state can assert this fact by calling the helper `meta.ignoreRemoteBackendVersionConflict`, which will disable the checks. Those which can write state should instead call the helper `meta.remoteBackendVersionCheck`, which will return diagnostics for display. In addition to these explicit paths for managing the version check, we have an implicit check in the remote backend's state manager initialization method. Both of the above helpers will disable this check. This fallback is in place to ensure that future code paths which access state cannot accidentally skip the remote version check.
165 lines
4.4 KiB
Go
165 lines
4.4 KiB
Go
package command
|
|
|
|
import (
|
|
"context"
|
|
"fmt"
|
|
"io"
|
|
"os"
|
|
"strings"
|
|
|
|
"github.com/hashicorp/terraform/command/clistate"
|
|
"github.com/hashicorp/terraform/states/statefile"
|
|
"github.com/hashicorp/terraform/states/statemgr"
|
|
"github.com/mitchellh/cli"
|
|
)
|
|
|
|
// StatePushCommand is a Command implementation that shows a single resource.
|
|
type StatePushCommand struct {
|
|
Meta
|
|
StateMeta
|
|
}
|
|
|
|
func (c *StatePushCommand) Run(args []string) int {
|
|
args = c.Meta.process(args)
|
|
var flagForce bool
|
|
cmdFlags := c.Meta.ignoreRemoteVersionFlagSet("state push")
|
|
cmdFlags.BoolVar(&flagForce, "force", false, "")
|
|
cmdFlags.BoolVar(&c.Meta.stateLock, "lock", true, "lock state")
|
|
cmdFlags.DurationVar(&c.Meta.stateLockTimeout, "lock-timeout", 0, "lock timeout")
|
|
if err := cmdFlags.Parse(args); err != nil {
|
|
c.Ui.Error(fmt.Sprintf("Error parsing command-line flags: %s\n", err.Error()))
|
|
return 1
|
|
}
|
|
args = cmdFlags.Args()
|
|
|
|
if len(args) != 1 {
|
|
c.Ui.Error("Exactly one argument expected.\n")
|
|
return cli.RunResultHelp
|
|
}
|
|
|
|
// Determine our reader for the input state. This is the filepath
|
|
// or stdin if "-" is given.
|
|
var r io.Reader = os.Stdin
|
|
if args[0] != "-" {
|
|
f, err := os.Open(args[0])
|
|
if err != nil {
|
|
c.Ui.Error(err.Error())
|
|
return 1
|
|
}
|
|
|
|
// Note: we don't need to defer a Close here because we do a close
|
|
// automatically below directly after the read.
|
|
|
|
r = f
|
|
}
|
|
|
|
// Read the state
|
|
srcStateFile, err := statefile.Read(r)
|
|
if c, ok := r.(io.Closer); ok {
|
|
// Close the reader if possible right now since we're done with it.
|
|
c.Close()
|
|
}
|
|
if err != nil {
|
|
c.Ui.Error(fmt.Sprintf("Error reading source state %q: %s", args[0], err))
|
|
return 1
|
|
}
|
|
|
|
// Load the backend
|
|
b, backendDiags := c.Backend(nil)
|
|
if backendDiags.HasErrors() {
|
|
c.showDiagnostics(backendDiags)
|
|
return 1
|
|
}
|
|
|
|
// Determine the workspace name
|
|
workspace, err := c.Workspace()
|
|
if err != nil {
|
|
c.Ui.Error(fmt.Sprintf("Error selecting workspace: %s", err))
|
|
return 1
|
|
}
|
|
|
|
// Check remote Terraform version is compatible
|
|
remoteVersionDiags := c.remoteBackendVersionCheck(b, workspace)
|
|
c.showDiagnostics(remoteVersionDiags)
|
|
if remoteVersionDiags.HasErrors() {
|
|
return 1
|
|
}
|
|
|
|
// Get the state manager for the currently-selected workspace
|
|
stateMgr, err := b.StateMgr(workspace)
|
|
if err != nil {
|
|
c.Ui.Error(fmt.Sprintf("Failed to load destination state: %s", err))
|
|
return 1
|
|
}
|
|
|
|
if c.stateLock {
|
|
stateLocker := clistate.NewLocker(context.Background(), c.stateLockTimeout, c.Ui, c.Colorize())
|
|
if err := stateLocker.Lock(stateMgr, "state-push"); err != nil {
|
|
c.Ui.Error(fmt.Sprintf("Error locking state: %s", err))
|
|
return 1
|
|
}
|
|
defer stateLocker.Unlock(nil)
|
|
}
|
|
|
|
if err := stateMgr.RefreshState(); err != nil {
|
|
c.Ui.Error(fmt.Sprintf("Failed to refresh destination state: %s", err))
|
|
return 1
|
|
}
|
|
|
|
if srcStateFile == nil {
|
|
// We'll push a new empty state instead
|
|
srcStateFile = statemgr.NewStateFile()
|
|
}
|
|
|
|
// Import it, forcing through the lineage/serial if requested and possible.
|
|
if err := statemgr.Import(srcStateFile, stateMgr, flagForce); err != nil {
|
|
c.Ui.Error(fmt.Sprintf("Failed to write state: %s", err))
|
|
return 1
|
|
}
|
|
if err := stateMgr.WriteState(srcStateFile.State); err != nil {
|
|
c.Ui.Error(fmt.Sprintf("Failed to write state: %s", err))
|
|
return 1
|
|
}
|
|
if err := stateMgr.PersistState(); err != nil {
|
|
c.Ui.Error(fmt.Sprintf("Failed to persist state: %s", err))
|
|
return 1
|
|
}
|
|
|
|
return 0
|
|
}
|
|
|
|
func (c *StatePushCommand) Help() string {
|
|
helpText := `
|
|
Usage: terraform state push [options] PATH
|
|
|
|
Update remote state from a local state file at PATH.
|
|
|
|
This command "pushes" a local state and overwrites remote state
|
|
with a local state file. The command will protect you against writing
|
|
an older serial or a different state file lineage unless you specify the
|
|
"-force" flag.
|
|
|
|
This command works with local state (it will overwrite the local
|
|
state), but is less useful for this use case.
|
|
|
|
If PATH is "-", then this command will read the state to push from stdin.
|
|
Data from stdin is not streamed to the backend: it is loaded completely
|
|
(until pipe close), verified, and then pushed.
|
|
|
|
Options:
|
|
|
|
-force Write the state even if lineages don't match or the
|
|
remote serial is higher.
|
|
|
|
-lock=true Lock the state file when locking is supported.
|
|
|
|
-lock-timeout=0s Duration to retry a state lock.
|
|
|
|
`
|
|
return strings.TrimSpace(helpText)
|
|
}
|
|
|
|
func (c *StatePushCommand) Synopsis() string {
|
|
return "Update remote state from a local state file"
|
|
}
|