Skip to content

catch up#1

Merged
drthornt merged 5978 commits into
drthornt:masterfrom
hashicorp:main
Jul 1, 2026
Merged

catch up#1
drthornt merged 5978 commits into
drthornt:masterfrom
hashicorp:main

Conversation

@drthornt

@drthornt drthornt commented Jul 1, 2026

Copy link
Copy Markdown
Owner

whoa

austinvalle and others added 30 commits April 30, 2026 15:24
We can't fully detect why a module source or version might be unknown,
so instead use a simpler error that covers all possible reasons. If we
do find a way to get more specific in the future, we can extent it then,
but the current errors were trying to be specific when they couldn't.
We can't detect why a provider function is missing is all cases, so
get rid of the extra logic trying to do that.

We also admit here that we need to allow a provider function within a
variable validation condition, because that is not the only way these
could fail during init, and it's otherwise valid during the next phase.
…ring-init

Fixed various "unknown provider function" errors that occur during init
…r download in `init` (#38502)

* test: Add pre-release to available providers. Existing tests don't use it because the configuration doesn't specify the prerelease as the version constraint.

This was the gap in my understanding - prerelease providers are handled differently in the installer logic. I believe it boils down to this: https://github.com/apparentlymart/go-versions/blob/29863fd2ba61c1fbf5b5529907e1463dd4e197de/versions/set_released.go#L5-L7

* test: Add failing tests that show expected behaviour when a pre-release of a provider is used

* fix: Ensure that any relevant version constraints from the config are available to use when installing providers present in the state

* test: Add test defining pre-release download behaviour that was present before v1.15

* test: Update test to reflect that 2 step init is no longer experimental or specific to the PSS project
…arguments package for parsing arguments and flags (#38430)

* refactor: Move method `ValidWorkspaceName` and related const into arguments package, update references

This function is primarily used to validate arguments, but it's used once (in (m *Meta) Workspace) in a different context, so I've left the original function signature in the command package.

* feat: Add `workspace new`-related code to arguments package

* refactor: Update `workspace new` to use the arguments package when parsing arguments

Note that this changes the format of errors returned when arg parsing fails - this is now wrapped in a diagnostic so now starts with `\nError: ` and has an extra trailing newline.

* feat: Add `workspace select`-related code to arguments package

* refactor: Update `workspace select` to use the arguments package when parsing arguments

Note that this changes the format of errors returned when arg parsing fails - this is now wrapped in a diagnostic so now starts with `\nError: ` and has an extra trailing newline.
… updates (#38505)

Bumps the github-actions-backward-compatible group with 2 updates: [actions/upload-artifact](https://github.com/actions/upload-artifact) and [actions/cache](https://github.com/actions/cache).


Updates `actions/upload-artifact` from 7.0.0 to 7.0.1
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](actions/upload-artifact@bbbca2d...043fb46)

Updates `actions/cache` from 5.0.4 to 5.0.5
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](actions/cache@6682284...27d5ce7)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-version: 7.0.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: github-actions-backward-compatible
- dependency-name: actions/cache
  dependency-version: 5.0.5
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: github-actions-backward-compatible
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…y with 2 updates (#38504)

Bumps the github-actions-breaking group with 2 updates in the / directory: [actions/github-script](https://github.com/actions/github-script) and [miniscruff/changie-action](https://github.com/miniscruff/changie-action).


Updates `actions/github-script` from 8.0.0 to 9.0.0
- [Release notes](https://github.com/actions/github-script/releases)
- [Commits](actions/github-script@ed59741...3a2844b)

Updates `miniscruff/changie-action` from 2.1.0 to 3.0.0
- [Release notes](https://github.com/miniscruff/changie-action/releases)
- [Changelog](https://github.com/miniscruff/changie-action/blob/main/CHANGELOG.md)
- [Commits](miniscruff/changie-action@5036dff...11bcad3)

---
updated-dependencies:
- dependency-name: actions/github-script
  dependency-version: 9.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions-breaking
- dependency-name: miniscruff/changie-action
  dependency-version: 3.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions-breaking
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* command/output: Ignore warnings in JSON mode

* add changelog entry
…nstances in deeply nested modules (#38528)

* stackmigrate: fix recursive provider config resolution for resource instances in deeply nested modules

* added additional test for implict provider configs in deeply nested modules

* add changelog

* move changelog to 1.15
Co-authored-by: Jared Baker <jar-b@users.noreply.github.com>
…n initialising a state store for the first time (#38395)

* refactor: Replace use of prepareInstallerEvents method. This will allow finer control of callbacks when implementing security related features

* feat: Users are prompted to approve a provider used for PSS on first use, and only if downloaded via HTTP.

Prompts include signer details and key ID data.

* test: Users see "Authentication: unauthenticated" in prompt if network mirror doesn't include hashes

They'll see authentication data in all other prompt scenarios. There's no auth when using an fs mirror, but when those are in use we trust the providers already and no prompts are raised.

* refactor: Simplify how we prepare installation event callbacks by defining reused callbacks

* refactor: Remove unused parameters from `getProvidersFromState`
SarahFrench and others added 29 commits June 25, 2026 16:00
…is configured. (#38772)

Added tests showing that init detects changes in how PSS is used and raises errors referring users to the new `state migrate` command. This includes detection of provider version changes, which can only happen if changes happen out of band but we still need to protect against it.
Co-authored-by: hc-github-team-tf-core <github-team-tf-core@hashicorp.com>
… into new readLockedDependenciesFromPath method.

The reusable logic includes managing locks annotation, which could be missed if a command implementation used `depsfile.LoadLocksFromFile` directly.

Also, refactor to remove an instance of constant string for `".terraform.lock.hcl"`. Instead reference a const from `depsfile` instead, which should be the authoritative place this filename comes from.
…ing the dependency lock file post-migration.

This change updates `state migrate` to be able to download providers and, depending on the situation, update the dependency lock file.

If a state migration involves 1 or more state stores then the provider implementing those stores may need to be downloaded. There are situations where 0, 1, or 2 providers may need to be downloaded:
- 0 : The 1 or 2 providers used for source and destination state stores are in the dep lock file already.
- 1 : Either the provider used for both source and destination isn't downloaded (or there's no dep lock file), or one of the source or destination providers isn't present.
- 2 : Neither of the source and destination state stores' providers are present in the dependency lock file.

The provider used for the destination state store **must** be in the dep lock file after a successful migration. If the migration fails then the lock file will be untouched, but if it succeeds then the destination provider will either be added to or upgraded in the dependency lock file. Note: upgrade is not yet implemented, and will be a separate PR.

The process of updating the dependency lock file will never remove a provider. If the provider used for the source state store is present in the lock file but isn't present in the configuration (i.e. it was removed from required_providers when the config was changed to describe the new location for storing state) then its removal from the lock file will happen in a subsequent init command. This is because the `state migrate` command does not load the full configuration, only the root module, so it doesn't know about the configuration's full provider requirements. And that's not considering the state's provider requirements. Basically, `state migrate` does not manage the complete dependency lock file, but instead manages a single entry inside it.
…ck file and is used in both the source and destination
…rent providers

This includes scenarios where different providers are already in the lock file or not. Regardless of the starting conditions the command will download and use the necessary providers. The lock file will have the destination provider added or updated, but otherwise the file will be unchanged.
The `DIR` positional arguments have all been removed from the codebase in favour of the -chdir flag. Anyone attempting to use `DIR` will get an error reporting an unexpected positional argument and guidance to use -chdir instead.
Co-authored-by: hc-github-team-tf-core <github-team-tf-core@hashicorp.com>
…sources and data sources (#38781)

* Update the policy callback for `getresources` to return a partial response if any matching resource types are deferred

* Update `getdatasource` callback to returned deferred indicator from the `ReadDataSource` call to the provider.

* remove provider meta from `ReadDataSource` call in policy callback server
This change adds provider policy evaluation to the stacks runtime, which is evaluated immediately following a provider being configured (equivalent to when the module runtime evaluates provider policy). Additional test cases have been added for embedded stacks, which can also configure providers.
…m Policy is mutually exclusive with the PSS feature.
…38797)

This change removes the restrictions in PlanStackChanges and ApplyStackChanges preventing policy evaluation during refresh and destroy (which originally was omitting the policy client). Now, when a policy client is given to stacks, it will always be passed to the module runtime + used to evaluate provider policy if configured.
…od, for transparency.

This change pulls a lot of lock merging events out of methods and into the init command's Run method. Previously the `getProviders` and `saveDependencyLockFile` methods performed some lock merging internally, but this should be the concern of the init command and not these methods. This makes it easier to reason about what happens in init when reading through the command (well, at least it's flatter/more transparent when reading though).

This change highlights that the init command only blocks the upgrade of the provider used for PSS through the final merging of locks before `saveDependencyLockFile` is invoked. The merge ensures that the provider version used for initialising the state store enters the lockfile instead of the lock for that provider returned from `getProviders`, which may have upgraded that provider.
Change `pssLocks` => `pssLock` to indicate only one lock is ever present if `getProvidersFromPSSConfig` is invoked.

Change `reqs` to `req` in `getProvidersFromPSSConfig`, to support the fact only one requirement is passed to the installer logic later in the method.

Change `configLocks` => `lock`, to show that a single lock it returned. Also, the old name configLocks is a hangover from when we had split download of providers in the config and the state.
…r positional arguments (#38799)

main.go has an if block with the expression `arg == "-v" || arg == "-version" || arg == "--version"`. This change updates a test to assert all 3 are accepted.

The new test defining how the command handles unexpected flags and positional arguments are intended to help with future refactoring, e.g. to make the command use the arguments and views packages in future.
…r provider versions are available, if the -upgrade flag is set to false.

This scenario is implicitly tested elsewhere, but this test makes it explicit.
Co-authored-by: Radek Simko <radeksimko@users.noreply.github.com>
Co-authored-by: hc-github-team-tf-core <github-team-tf-core@hashicorp.com>
@drthornt drthornt merged commit 0750dd5 into drthornt:master Jul 1, 2026
7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.