Commit Graph

28464 Commits

Author SHA1 Message Date
Pam Selle b03d5df9dc Disallow sensitive values as for_each arguments 2020-09-10 11:04:17 -04:00
Pam Selle 61c78fd3b9 Add case to compactValueStr not to expose sensitive vals in diagnostics 2020-09-10 11:04:17 -04:00
Pam Selle 3e8b125e53 Apply does not need remarking
Apply, at this moment, appears that
it does not require the remarking strategy,
as the plan has already been printed
2020-09-10 11:04:17 -04:00
Pam Selle 5b0b1a13a5 Update object compatible check to unmark
The hack approach appears consistent,
as we can remove marks before calling the
value validation
2020-09-10 11:04:17 -04:00
Pam Selle e9d9205ce8 Modifications to eval_diff 2020-09-10 11:04:17 -04:00
Pam Selle bc55b6a28b Use UnmarkDeepWithPaths and MarkWithPaths
Updates existing code to use the new Value
methods for unmarking/marking and removes
panics/workarounds in cty marshall methods
2020-09-10 11:04:17 -04:00
Pam Selle 7fef1db20d Add sensitive variable configs test coverage 2020-09-10 11:04:17 -04:00
Pam Selle 6c129a921b Unmark/remark in apply process to allow apply 2020-09-10 11:04:17 -04:00
Pam Selle 896d277a69 If the path is empty, we should not be marking the path 2020-09-10 11:04:17 -04:00
Pam Selle 84d118e18f Track sensitivity through evaluation
Mark sensitivity on a value. However, when the value is encoded to send to the
provider to produce a changeset we must remove the marks, so unmark the value
and remark it with the saved path afterwards
2020-09-10 11:04:17 -04:00
Alisdair McDiarmid 740ac873c9
Update CHANGELOG.md 2020-09-10 11:03:50 -04:00
Pam Selle 862ddf73e2 Add a sensitive attribute 2020-09-10 11:02:54 -04:00
Alisdair McDiarmid a18e1cb24f
Merge pull request #26187 from hashicorp/alisdair/concise-diff
command: Add experimental concise diff renderer
2020-09-10 11:01:20 -04:00
Alisdair McDiarmid 09d8355f43 command: Add experimental concise diff renderer
When rendering a diff between current state and projected state, we only
show resources and outputs which have changes. However, we show a full
structural diff for these values, which includes all attributes and
blocks for a changed resource or output. The result can be a very long
diff, which makes it difficult to verify what the changed fields are.

This commit adds an experimental concise diff renderer, which suppresses
most unchanged fields, only displaying the most relevant changes and
some identifying context. This means:

- Always show all identifying attributes, initially defined as `id`,
  `name`, and `tags`, even if unchanged;
- Only show changed, added, or removed primitive values: `string`,
  `number`, or `bool`;
- Only show added or removed elements in unordered collections and
  structural types: `map`, `set`, and `object`;
- Show added or removed elements with any surrounding unchanged elements
  for sequence types: `list` and `tuple`;
- Only show added or removed nested blocks, or blocks with changed
  attributes.

If any attributes, collection elements, or blocks are hidden, a count
is kept and displayed at the end of the parent scope. This ensures that
it is clear that the diff is only displaying a subset of the resource.

The experiment is currently enabled by default, but can be disabled by
setting the TF_X_CONCISE_DIFF environment variable to 0.
2020-09-10 10:35:55 -04:00
Pam Selle ee544aa4e8
Merge pull request #26190 from hashicorp/pselle/force-push-fix
Fix bug for force push for backends besides the remote backend
2020-09-10 09:20:07 -04:00
Pam Selle 2c35869a32 Fix bug for force push for backends besides the remote backend
In refactoring the force push code when implementing force push
for the Terraform remote backend, a bug was introduced that
meant that backends that don't implement the EnableForcePush
method would still have their state validated. This commit
fixes that, and adds test coverage such that there is a separate
mockRemoteClient that has this method implemented.
2020-09-10 09:13:57 -04:00
Paul Tyng f3ff843ffd Remove unused env var TF_SKIP_PROVIDER_VERIFY 2020-09-10 09:03:56 -04:00
James Bardin ec231c7616 apply the stored plan CreateThenDelete action
When applying a plan, a forced CreateBeforeDestroy may not be set during
the apply walk when downstream resources are no longer present in the
graph. We still need to stick to that plan, and both the
NodeApplyableResourceInstance EvalTree and the individual Eval nodes
need to operate on that planned value.

Ensure that we always check for an existing plan when determining
CreateBeforeDestroy status. This must happen in 2 different code paths
due to the eval node pattern currently in-use. Future refactoring may be
able to unify these code-paths to make this less fragile.
2020-09-09 17:02:28 -04:00
James Bardin 7695d1cefe add test for forced cbd with no other changes
If a resource is forced CreateBeforeDestroy from a dependent resource,
and that dependent has no changes, the plan is changed from
CreateThenDelete to DeleteThenCreate causing an apply error.
2020-09-09 16:41:01 -04:00
Kristin Laemmert 1a1225ae29
Mildwonkey/eval local (#26182)
* terraform: refactor EvalLocal, remove unused EvalDeleteLocal
* terraform: refactor NodeCountBoundary
* terraform: node_module_expand refactor
2020-09-09 15:59:29 -04:00
James Bardin cf6bc7163a not all plan action changes are provider bugs
A provider cannot influence CreateThenDelete vs DeleteThenCreate, so we
shouldn't attribute this to the provider in the error.
2020-09-09 15:45:06 -04:00
Jon "The Nice Guy" Spriggs 6f9ce7310c
Website: Add map example to templatefile function docs (#26126)
This change adds an example of using a map with a few keys and shows how it runs it.

Co-authored-by: Nick Fagerlund <nick@hashicorp.com>
2020-09-09 12:30:06 -07:00
James Bardin b8b6cae8ef
Merge pull request #26186 from hashicorp/jbardin/cbd-module-dep
don't connect module closers to destroy nodes
2020-09-09 14:15:57 -04:00
James Bardin c9e581e58a don't connect module closers to destroy nodes
One of the tenants of the graph transformations is that resource destroy
nodes can only be ordered relative to other resources, and can't be
referenced directly. This was broken by the module close node which
naively connected to all module nodes, creating cycles in some cases
when edges are reversed from CreateBeforeDestroy.
2020-09-09 12:23:23 -04:00
Alisdair McDiarmid 898b459a03 configs: Error on invalid required_providers attrs
A few users have recently been confused about the purpose of the
required_providers objects, adding provider configuration parameters in
addition to version and source. This previously did not cause an error
so would result in a confusingly distant failure.

This commit adds a single diagnostic for any required_providers object
which includes attributes other than version or source.
2020-09-09 11:52:47 -04:00
Alisdair McDiarmid 3419422891 website: Fix docs for implied provider FS mirrors
In addition to the directories previously listed, Terraform looks in the
CLI config directory ($HOME/.terraform.d/plugins on macOS/Linux/UNIX,
and %APPDATA%/terraform.d/plugins on Windows). List this in the
documentation for clarity.

We also add a note about the working directory relative "vendor"
location, ./terraform.d/plugins.
2020-09-09 11:15:02 -04:00
Kristin Laemmert 069f379e75 terraform: refactor Node*Ouput
This commit refactors NodeApplyableOutput and NodeDestroyableOutput into
the new Execute() pattern, collapsing the functions in eval_output.go
into one place.

I also reverted a recent decision to have Execute take a _pointer_ to a
walkOperation: I was thinking of interfaces, not constant bytes, so all
it did was cause problems.

And finally I removed eval_lang.go, which was unused.
2020-09-09 08:45:54 -04:00
Pam Selle 5153ea633b Add docs notes for deprecation 2020-09-08 14:33:13 -04:00
Pam Selle e191a57093
Merge pull request #25952 from shaowenchen/improvement_docs
improvement github token
2020-09-08 14:30:54 -04:00
Pam Selle 5ec1868419
Merge pull request #25864 from alexnovak/patch-1
Correct annotation in expressions.html
2020-09-08 14:26:46 -04:00
Pam Selle 621ee056e6
Merge pull request #26108 from qrilka/patch-1
Minor typo
2020-09-08 14:16:07 -04:00
Pam Selle 11119e7e3f
Merge pull request #26158 from fourplusone/patch-1
Fix broken link in providers/mirror documentation
2020-09-08 14:13:32 -04:00
Pam Selle afa43d9484
Merge pull request #26170 from hashicorp/pselle/fixE2Etests-osx
Update workDir of e2e binary to eval symlinks
2020-09-08 14:12:51 -04:00
Pam Selle 880546bd66 Update workDir of e2e binary to eval symlinks
Due to a recent update to OS X, this is necessary
so that the correct working directory is saved,
so that methods like Path() on the e2e binary
will return the correct value
2020-09-08 13:46:20 -04:00
Kristin Laemmert 8a4b2ab817 terraform: EvalNode removal, continued
This commit continues the overall EvalNode removal project.

Something to note: the NodeRefreshableDataResourceInstance's Execute()
function is intentionally refactored in the bare minimum,
hardly-a-refactor style, because we have another ongoing project which
aims to remove NodeRefreshable*s. It is not worth the effort at this
time. We may revisit this decision in the future.
2020-09-08 13:05:43 -04:00
Kristin Laemmert df6f3fa6de terraform: modify Execute() signature
walkOperation should be a pointer to simplify test writers' lives - it
is not needed in most cases.
2020-09-08 13:05:43 -04:00
Martin Atkins 773dd56b42 internal/depsfile: Introduce the concept of "non-lockable" providers
It doesn't make sense for a built-in provider to appear in a lock file
because built-in providers have no version independent of the version of
Terraform they are compiled into.

We also exclude legacy providers here, because they were supported only
as a transitional aid to enable the Terraform 0.13 upgrade process and
are not intended for explicit selection.

The provider installer will, once it's updated to understand dependency
locking, use this concept to decide which subset of its selections to
record in the dependency lock file for reference for future installation
requests.
2020-09-08 09:50:58 -07:00
Martin Atkins 98e2e69abb internal/depsfile: SaveLocksToFile implementation
This is an initial implementation of writing locks back to a file on disk.
This initial implementation is incomplete because it does not write the
changes to the new file atomically. We'll revisit that in a later commit
as we return to polish these codepaths, once we've proven out this
package's design by integrating it with Terraform's provider installer.
2020-09-08 09:50:58 -07:00
Martin Atkins 92723661d0 internal/depsfile: Loading locks from HCL files on disk
This is the initial implementation of the parser/decoder portion of the
new dependency lock file handler. It's currently dead code because the
caller isn't written yet. We'll continue to build out this functionality
here until we have the basic level of both load and save functionality
before introducing this into the provider installer codepath.
2020-09-08 09:50:58 -07:00
Martin Atkins 6993ecb0a6 internal/getproviders: VersionConstraintsString for "~> 2" input
The version constraint parser allows "~> 2", but it behavior is identical
to "~> 2.0". Due to a quirk of the constraint parser (caused by the fact
that it supports both Ruby-style and npm/cargo-style constraints), it
ends up returning "~> 2" with the minor version marked as "unconstrained"
rather than as zero, but that means the same thing as zero in this context
anyway and so we'll prefer to stringify as "~> 2.0" so that we can be
clearer about how Terraform is understanding that version constraint.
2020-09-08 09:50:58 -07:00
Alisdair McDiarmid a176aaa4da
Merge pull request #26136 from hashicorp/alisdair/fix-providercache-test-failures-on-macOS
internal: Fix providercache test failures on macOS
2020-09-08 09:45:12 -04:00
Alisdair McDiarmid 1c8a7f65d0
Merge pull request #26137 from hashicorp/alisdair/output-changes-tests
command: Add tests for format.OutputChanges
2020-09-08 09:45:05 -04:00
Kristin Laemmert 2de6698be6
Update CHANGELOG.md 2020-09-08 08:21:17 -04:00
Kristin Laemmert 923e157b5c
configs: deprecate version argument inside provider configuration blocks (#26135)
The version argument is deprecated in Terraform v0.14 in favor of
required_providers and will be removed in a future version of terraform
(expected to be v0.15). The provider configuration documentation already
discourages use of 'version' inside provider configuration blocks, so it
only needed an extra note that it is actively deprecated.
2020-09-08 08:19:00 -04:00
Matthias Bartelmeß cec5222287
Correct typo 2020-09-08 00:18:28 +02:00
Martin Atkins 8f9671b093
Update CHANGELOG.md 2020-09-04 15:33:43 -07:00
Martin Atkins efe78b2910 main: new global option -chdir
This new option is intended to address the previous inconsistencies where
some older subcommands supported partially changing the target directory
(where Terraform would use the new directory inconsistently) where newer
commands did not support that override at all.

Instead, now Terraform will accept a -chdir command at the start of the
command line (before the subcommand) and will interpret it as a request
to direct all actions that would normally be taken in the current working
directory into the target directory instead. This is similar to options
offered by some other similar tools, such as the -C option in "make".

The new option is only accepted at the start of the command line (before
the subcommand) as a way to reflect that it is a global command (not
specific to a particular subcommand) and that it takes effect _before_
executing the subcommand. This also means it'll be forced to appear before
any other command-specific arguments that take file paths, which hopefully
communicates that those other arguments are interpreted relative to the
overridden path.

As a measure of pragmatism for existing uses, the path.cwd object in
the Terraform language will continue to return the _original_ working
directory (ignoring -chdir), in case that is important in some exceptional
workflows. The path.root object gives the root module directory, which
will always match the overriden working directory unless the user
simultaneously uses one of the legacy directory override arguments, which
is not a pattern we intend to support in the long run.

As a first step down the deprecation path, this commit adjusts the
documentation to de-emphasize the inconsistent old command line arguments,
including specific guidance on what to use instead for the main three
workflow commands, but all of those options remain supported in the same
way as they were before. In a later commit we'll make those arguments
produce a visible deprecation warning in Terraform's output, and then
in an even later commit we'll remove them entirely so that -chdir is the
single supported way to run Terraform from a directory other than the
one containing the root module configuration.
2020-09-04 15:31:08 -07:00
Alisdair McDiarmid ba9baac36d command: Add tests for format.OutputChanges
Most of the functionality for rendering output changes is covered by the
tests for ResourceChanges, as they both share the same diff renderer.
This commit adds a few tests to cover some of the output specific code.
2020-09-04 16:22:23 -04:00
Alisdair McDiarmid 5587509bcf internal: Fix providercache test failures on macOS
For reasons that are unclear, these two tests just started failing on
macOS very recently. The failure looked like:

    PackageDir: strings.Join({
      "/",
+     "private/",
      "var/folders/3h/foobar/T/terraform-test-p",
      "rovidercache655312854/registry.terraform.io/hashicorp/null/2.0.0",
      "/windows_amd64",
    },

Speculating that the macOS temporary directory moved into the /private
directory, I added a couple of EvalSymlinks calls and the tests pass
again.

No other unit tests appear to be affected by this at the moment.
2020-09-04 16:09:57 -04:00
Kristin Laemmert 883e4487a2
terraform: add GraphNodeExecutable interface (#26132)
This introduces a new GraphNode, GraphNodeExecutable, which will
gradually replace GraphNodeEvalable as part of the overall removal of
EvalTree()s. Terraform's Graph.walk function will now check if a node is
GraphNodeExecutable and run walker.Execute instead of running through
the EvalTree() and Eval().

For the time being, terraform will panic if a node implements both
GraphNodeExecutable and GraphNodeEvalable. This will be removed when
we've finished removing all GraphNodeEvalable implementations.

The new GraphWalker function, Execute(), is meant to replace both
EnterEvalTree and ExitEvalTree, and wraps the call to the
GraphNodeExecutable's Execute function.
2020-09-04 14:03:45 -04:00