Commit Graph

28023 Commits

Author SHA1 Message Date
Alisdair McDiarmid e27aacebf9 command/jsonplan: Add sensitive value mapping data
Similar to `after_unknown`, `before_sensitive` and `after_sensitive` are
values with similar structure to `before` and `after` which encode the
presence of sensitive values in a planned change. These should be used
to obscure sensitive values from human-readable output.

These values follow the same structure as the `before` and `after`
values, replacing sensitive values with `true`, and non-sensitive values
with `false`. Following the `after_unknown` precedent, we omit
non-sensitive `false` values for object attributes/map values, to make
serialization more compact.

One difference from `after_unknown` is that a sensitive complex value
(collection or structural type) is replaced with `true`. If the complex
value itself is sensitive, all of its contents should be obscured.
2021-03-26 19:26:10 -04:00
Alisdair McDiarmid a12c413b84 plans/planfile: Add required-replace and sensitive
The stored planfile now serializes the required-replace path set and the
collection of before/after sensitivity marks. This ensures that storing
a plan and displaying it with `terraform show` renders the same output
for plans with required-replace resources, and those with sensitive
values in the diff.
2021-03-25 14:42:34 -04:00
Dennis Gursky 550de86135
Set Intersection #performance (#28183)
* Set Intersection #performance

Intersection is faster for sets of different sizes if one iterates over the shorter set and checks the presence of an element in a larger one. For an edge case consider `s` having 1M entries and `other` no entries at all. In this case original code will iterate over 1M entries in `s` not finding anything and then returning an empty result set. In the patched code the iteration won't happen at all and result is returned immediately.

This change is inspired by profiling a relatively large terraform configuration, where the time to validate was sped up 4x with this change.
2021-03-24 13:04:37 -04:00
James Bardin 07ecfb13f0
Merge pull request #28180 from hashicorp/jbardin/mark-provider-sensitive
check for unknowns when marking resource values
2021-03-24 10:26:07 -04:00
James Bardin 8cba2bfc39 check for unknowns when marking resource values
When we map schema sensitivity to resource values, there may be unknowns
when dealing with planned objects. Check for unknowns before iterating
over block values.
2021-03-23 17:06:18 -04:00
Alisdair McDiarmid 841cced6c9
Merge pull request #28138 from hashicorp/alisdair/command-views-validate
cli: Migrate validate command to views
2021-03-23 13:13:06 -04:00
James Bardin b5e5948b64
Merge pull request #28176 from hashicorp/jbardin/destroy-doc
update destroying doc to show show more CBD detail
2021-03-23 13:04:56 -04:00
James Bardin 44199ae4ba update destroying doc to show show more CBD detail
Update the create-before-destroy cases in the destroying.md document.
2021-03-23 11:21:43 -04:00
James Bardin 0ebc71383b
Merge pull request #28165 from hashicorp/jbardin/destroy-update-dep
Destroy then update dependency ordering
2021-03-23 11:04:55 -04:00
Alisdair McDiarmid 0e43fa9834
Merge pull request #28166 from hashicorp/alisdair/fix-typo
Fix typo in plan no changes output message
2021-03-23 09:31:43 -04:00
Alisdair McDiarmid 7242d9af2b Fix typo in plan no changes output message 2021-03-22 16:39:53 -04:00
Alisdair McDiarmid 46c2dce0fb Fix broken test 2021-03-22 16:38:56 -04:00
James Bardin dcb12195a3 update destroying.md
Update the full-replacement example graph to show the transitive
dependency that is required for the destroy-then-update case. Add
another example describing the case where we reduce the graph to
only an update and replace and the dependency on the destroy node
remains.
2021-03-22 15:29:51 -04:00
James Bardin 0bc64e3cc4 tests for destroy-then-update dependency ordering 2021-03-22 14:18:54 -04:00
Kristin Laemmert b9138f4465
terraform: validate providers' schemas during NewContext (#28124)
* checkpoint save: update InternalValidate tests to compare exact error

* configschema: extract and extend attribute validation

This commit adds an attribute-specific InternalValidate which was extracted directly from the block.InternalValidate logic and extended to verify any NestedTypes inside an Attribute. Only one error message changed, since it is now valid to have a cty.NilType for Attribute.Type as long as NestedType is set.

* terraform: validate provider schema's during NewContext

We haven't been able to guarantee that providers are validating their own schemas using (some version of) InternalValidate since providers were split out of the main codebase. This PR adds a call to InternalValidate when provider schemas are initially loaded by NewContext, which required a few other changes:

InternalValidate's handling of errors vs multierrors was a little weird - before this PR, it was occasionally returning a non-nil error which only stated "0 errors occurred" - so I addressed that in InternalValidate. I then tested this with a configuration that was using all of our most popular providers, and found that at least on provider had some invalid attribute names, so I commented that particular validation out. Adding that in would be a breaking change which we would have to coordinate with enablement and providers and (especially in this case) make sure it's well communicated to external provider developers.

I ran a few very unscientific tests comparing the timing with and without this validation, and it appeared to only cause a sub-second increase.

* refactor validate error message to closer match the sdk's message

* better error message

* tweak error message: move the instruction to run init to the end of the message, after the specific error.
2021-03-22 13:17:50 -04:00
Kristin Laemmert 77562d9b57
command/jsonprovider: bump format version (#28115)
Support for attributes with NestedTypes was added in https://github.com/hashicorp/terraform/pull/28055, and should have included a format version bump: this is a backwards-compatible change, but consumers will need to be updated in order to properly decode attributes (with NestedTypes) going forward.
2021-03-22 11:45:36 -04:00
Tej-Singh-Rana 2a49d908b8
fix the typo (#28140) 2021-03-22 10:51:45 -04:00
Kristin Laemmert 125e9d69d4
terraform-bundle: return an error if "versions" argument is omitted (#28158) 2021-03-22 10:51:03 -04:00
James Bardin 8671f40768 connect destroyers to all stored create deps
We currently count on interconnecting destroy nodes to handle the
create->destroy dependency edge for replacement, but when the create
node is only an update we don't connect that edge directly.

Lookup all creators that are dependencies of the destory node and ensure
they are connected.
2021-03-21 12:14:47 -04:00
Alisdair McDiarmid dd380d0b58 cli: Migrate validate command to views 2021-03-18 15:56:28 -04:00
Pam Selle 683422e54f
Merge pull request #28113 from hashicorp/pselle/provider_sensitive_attrs_docs
Update documentation for provider_sensitive_attrs experiment
2021-03-18 11:24:55 -04:00
James Bardin c6278bbe37
Merge pull request #28042 from jasons42/update-workspaces-docs
Indicate etcdv3 support for multiple workspaces in docs
2021-03-17 14:13:08 -04:00
James Bardin 2e3aa96988
Merge pull request #28099 from jasons42/duplicate-default-workspace
Fix duplicate default state
2021-03-17 14:11:04 -04:00
James Bardin 439bf9a96d
Merge pull request #28097 from jasons42/etcdv3-acceptance-tests
Fix type conversion panic
2021-03-17 14:10:54 -04:00
Martin Atkins df1d932fd2 build: Use Go 1.16.2
Unfortunately at the moment I'm adding this the release isn't yet
available in the current version of goenv, but due to these including
security stuff and because we're about to make a Terraform release we're
letting this get slightly ahead of goenv on the assumption that it will
catch up shortly.
2021-03-17 10:27:37 -07:00
Alisdair McDiarmid 8322ab4a74
Merge pull request #28126 from hashicorp/alisdair/validate-traversal-caveat
documentation: Clarify JSON diagnostic values traversal semantics
2021-03-17 11:52:41 -04:00
Alisdair McDiarmid b6ca782993 documentation: Clarify JSON diagnostic traversal
The traversal value is normally a valid HCL string, but can be
simplified if a traversal step has a complex index value (e.g. an
object). This means it is not always parseable HCL, so this commit
updates the documentation to clarify this and explicitly record that we
do not guarantee its contents are stable. The purpose of these values is
purely for building human-readable UI.
2021-03-17 11:46:24 -04:00
Alisdair McDiarmid 53739f0aac
Merge pull request #28108 from hashicorp/alisdair/validate-json-format-version
cli: Add format version to validate -json output
2021-03-17 11:38:21 -04:00
Martin Atkins 89b2405080 lang/funcs: "sensitive" and "nonsensitive" functions
These aim to allow hinting to Terraform about situations where it's not
able to automatically infer value sensitivity.

"nonsensitive" is for situations where Terraform's behavior is too
conservative, such as when a new value is derived from a sensitive value
in such a way that all of the sensitive content is removed.

"sensitive", on the other hand, is for situations where Terraform can't
otherwise infer that a value is sensitive. These situations should be
pretty rare in a module that's making effective use of sensitive input
variables and output values, but the documentation shows one example of
an uncommon situation where a more direct hint via this function would
be needed.

Both of these functions are aimed at only occasional use in unusual
situations. They are here for reasons of pragmatism, not because we
expect them to be used routinely or recommend their use.
2021-03-16 16:26:22 -07:00
Paddy 0b5c4a6a2c
Accept TF_LOG=json to enable TRACE logs in JSON format
This is not currently a supported interface, but we plan to release
tool(s) that consume parts of it that are more dependable later,
separately from Terraform CLI itself.
2021-03-16 14:59:15 -07:00
James Bardin acfa79b7b2
Merge pull request #28116 from hashicorp/jbardin/hcl-cty-update
update hcl and go-cty
2021-03-16 17:14:47 -04:00
James Bardin 523eddd760 update hcl and go-cty 2021-03-16 16:50:30 -04:00
Pam Selle 81e8167a4c Update documentation for provider_sensitive_attrs experiment
Update documentation to reference that this experiment is now
default in 0.15+
2021-03-16 13:31:43 -04:00
James Bardin 1338502c7b
Merge pull request #26924 from remilapeyre/concurrent-locks-pg
Use a global sequence to create the IDs for each workspace
2021-03-16 11:28:04 -04:00
Alisdair McDiarmid 46a29b13ed cli: Add format version to validate -json output
In line with the other complex JSON output formats for plan and provider
schema, here we add an explicit `format_version` field to the JSON
output of terraform validate.
2021-03-16 09:46:36 -04:00
Alisdair McDiarmid d4e7a74f7e
Merge pull request #28093 from hashicorp/alisdair/fix-new-remote-workspace-state-migration
backend/remote: Fix new workspace state migration
2021-03-16 09:32:49 -04:00
Jason Smith 188ea61a12 Fix duplicate default state
The default state is already explicitly added to the result slice. Added
a guard to prevent it being added a second time.

Fixes https://github.com/hashicorp/terraform/issues/28098
2021-03-15 16:33:31 -05:00
Jason Smith 3e8ebd6f40 Fix type conversion panic
etcdv3 acceptance tests fail due to attempting to pass slices of strings
for the endpoints config to HCL2ValueFromConfigValue() which does not
handle that type.

Not a pretty solution but a helper function that converts the endpoints to a slice of
empty interfaces satisfies the requirements of the
HCL2ValueFromConfigValue function.

fixes https://github.com/hashicorp/terraform/issues/28096
2021-03-15 16:09:44 -05:00
Alisdair McDiarmid 4b159416ff backend/remote: Fix new workspace state migration
When migrating state to a new workspace, the version check would error
due to a 404 error on fetching the workspace record. This would result
in failed state migration.

Instead we should look specifically for a 404 error, and allow migration
to continue. If we're just about to create the workspace, there can't be
a version incompatibility problem.
2021-03-15 15:48:14 -04:00
Pam Selle 34536daff9
Merge pull request #28036 from hashicorp/pselle/provider_sensitivity_non-experiment
Make provider sensitivity default behavior
2021-03-15 10:23:04 -04:00
Kristin Laemmert fac60ab124
Add formatting for attributes with nested types (#28069)
* format/diff: extract attributes-writing logic to a function

This is a stepping-stone commit (for easier reviewability, and to prove that tests did not change) as part of writing a NestedType-specific diff printer.

* command/format: add support for formatting attributes with NestedTypes

This commit adds custom formatting for NestedType attributes. THe logic was mostly copied from the block diff printer, with minor tweaks here and there. I used the (excellent) existing test coverage and added a NestedType attribute to every test.

Since the (nested-block specific) test schemas were nearly identical, I added a function that returns the schema with the requested NestingMode.
2021-03-15 09:31:23 -04:00
Alisdair McDiarmid 783936f4c7
Merge pull request #28067 from hashicorp/alisdair/defaults-fix-null-structural-types
functions: Fix defaults for null objects/tuples
2021-03-15 08:03:08 -04:00
Alisdair McDiarmid 8a77f3f25f
Merge pull request #28057 from hashicorp/alisdair/json-diagnostics
cli: Add comprehensive JSON diagnostic structure
2021-03-15 08:02:49 -04:00
Alisdair McDiarmid 7f97bd4489 functions: Fix missing defaults for objects/tuples
If no default is specified for a nested optional structural typed
attribute, the defaults function should just pass through its input.
Before this commit the function assumed that the fallback value was
always of the correct type, which would panic.
2021-03-12 18:14:14 -05:00
James Bardin 0750a16cce
Merge pull request #28072 from hashicorp/jbardin/provider-meta-interpolation
validate provider_meta contains no interpolations
2021-03-12 17:12:58 -05:00
Alisdair McDiarmid 2a85f0483f website: Update validate -json diags documentation
Updated to include details about the new "snippet" object in JSON
diagnostics.
2021-03-12 14:25:11 -05:00
Alisdair McDiarmid c92826c14d cli: Use standard JSON diagnostics for validate
Now that we have a comprehensive JSON diagnostic structure, we can use
it in the `validate -json` output instead of the inline version. Note
that this changes the output of `validate -json` in two ways:

1. We fix some off-by-one errors caused by zero-width highlight ranges.
   This aligns the JSON diagnostic output with the text output seen by
   most Terraform users, so I consider this a bug fix.
2. We add the `snippet` field to the JSON diagnostics where available.
   This is purely additive and is permitted under our JSON format
   stability guarantees.
2021-03-12 13:12:37 -05:00
Alisdair McDiarmid d9d88b9243 cli: Add comprehensive JSON diagnostic structure
This commit adds a comprehensive JSON format for diagnostics, which
ensures that all current diagnostic output can be semantically
represented in a machine-readable format. The diagnostic formatter
interface remains unchanged, but it first transforms its input via the
JSON format to ensure that there is only one code path for creating the
diagnostic data.

The JSON diagnostic renderer extracts the non-presentational logic from
the format package, and returns a structure which can either be
marshaled into JSON or rendered as text. The resulting text diagnostic
output is unchanged for all cases covered by unit tests and my own
manual testing.

Included in this commit are a number of golden reference files for the
marshaled JSON output of a diagnostic. This format should change rarely
if at all, and these are in place to ensure that any changes to the
format are intentional and considered.
2021-03-12 13:12:37 -05:00
Martin Atkins dc7f2b7314 website: docs for the terraform validate JSON output 2021-03-12 09:39:56 -08:00
James Bardin 759b76436a validate provider_meta contains no interpolations
The provider_meta specification does not allow interpolation, but we
were not preventing it in the configuration.
2021-03-12 12:10:25 -05:00