PSS: Implement initialisation of new working directory (or use of -reconfigure flag) while using state_store
#37732
+1,284
−210
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
The equivalence tests failed. Please investigate here. |
SarahFrench
commented
Oct 7, 2025
There was a problem hiding this comment.
Leaving some thoughts of my own & highlighting some things, as I appreciate this is a large PR to parse. There are a bunch of changes but hopefully it's manageable once the test fixture changes are hidden and once it's clear that all the new code is feeding into or is called by the new stateStore_C_s method.
a41b9da to
4c2528d
Compare
|
I just force pushed to remove some commits that included changes to try debug the test failure on the PR, no code changes were added other than the new commit 4c2528d Ideally I'd like to get that removed test code working, but I'm unsure why the |
radeksimko
reviewed
Oct 8, 2025
SarahFrench
commented
Oct 9, 2025
SarahFrench
commented
Oct 9, 2025
3 tasks
6db7a4b to
5bf78bf
Compare
|
Force push was to rebase onto #37762 and change any new errors in this PR into functions in meta_backend_errors.go |
This can only be done once modules have been parsed and the required providers data is available. There are multiple places where config is parsed, into either Config or Module structs, so this needs to be implemented in multiple places.
…hat data isn't empty
…ng code to access the provider schema when using provider configuration data.
…version Version. This is needed for using locks when creating the backend state file.
…eStore_C_s`. Default to creating the default workspace if no workspaces exist.
The `testingOverrides` field will only be set in tests, so this should not impact end users.
… time (and do the same when forced by -reconfigure flag). Remove replaced tests.
…e default workspace by default when -input=false (i.e for use in CI). Refactor creation of default workspace logic. Add tests.
…n't exist, but other workspaces do exist. The consequences here are due to using `selectWorkspace` in `stateStore_C_s`, matching what's done in `backend_C_r_s`.
This test passes when run in isolation but fails when run alongside other tests, even when skipping all other tests using `testStdinPipe`. I don't think the value of this test is great enough to start changing how we test stdin input.
…t is enabled or disabled
…ils of errors copying data to stdin. Note: We cannot call t.Fatal from a non-test goroutine.
…or reattached provider is in use.
…atching entry in required_providers
82372c1 to
e79ea11
Compare
SarahFrench
commented
Oct 13, 2025
radeksimko
reviewed
Oct 14, 2025
… enabled, enforce coupling of PSS-related flags when in use.
radeksimko
approved these changes
Oct 15, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
This PR allows an
initcommand to successfully initialise a project that uses the newstate_storeblock:-reconfigureflag.Behaviour changes versus the equivalent logic for backends
1) Problem: Creation of workspaces is not explicit and happens as a side effect of other code
Expand to read details about current behaviour with `backend`
Currently during an
initcommand when using abackendblock the state file for a new workspace is first created as a side effect of obtaining a state manager for that workspace's state. What this looks like depends on whether it's a custom workspace or the"default"workspace.During an init the default default workspace's state file may be created, depending on the backend in use. If it's not made during init it'll be created later when the first
applypersists state. When using the local backend the default workspace file is only made at apply time. When using the gcs backend this code responds to there being no state present for a given workspace by creating that state file, including for the default workspace. Other backends like s3 do this but only for custom workspaces, and the default workspace's state file is only made at apply time.The code linked above is also used when new custom workspaces are created when a user runs a
workspace newcommands. This code creates the new workspace as a side effect of obtaining a state manager.Something worth calling out: remote-state backends create state files for non-default workspaces when obtaining a state manager via the
StateMgrmethod to ensure that the new workspace is listed by theWorkspacesmethod later in the same operation. Also, all remote-state backends'Workspacesmethods are hardcoded to report that the"default"workspace exits, regardless of whether there is a default workspace state file.Overall this shows that Terraform core relies on remote-state backends being implemented in a consistent way for Terraform operations to work as expected. This is a risk, as we cannot rely on all pluggable state storage implementations being implemented in a consistent way to match how remote-state backends behave today.
Solution: Make creation of workspaces (i.e. persisting empty state in a way that signifies a new workspace) an explicit responsibility of Terraform core code
Terraform will now explicitly create custom workspaces by writing an empty state to a new file via the state store.
The default workspace will need special handling, as it's not consciously created by users like custom workspaces are. Instead the
initcommand will need to detect if the default workspace is selected but doesn't currently exist, and then persist an empty state file for the default workspace. This is achieved here:terraform/internal/command/meta_backend.go
Lines 1784 to 1794 in 07e4d23
Creating the default workspace will happen by default and will not ask the user for confirmation, which matches the UX with backends. If a user wants to skip this behaviour in CI they can set
-create-default-workspace=falseand-input=false. The -create-default-workspace flag default to true, and it cannot be set to false if Terraform is not in CI (i.e. -input=true`).2) Before: Users prompted for input if required fields aren't in the configuration (or present in override data)
If a user doesn't supply a value for a required field in a backend they're prompted for a value through the terminal:
terraform/internal/command/meta_backend.go
Lines 1812 to 1818 in d573104
After: Terraform will return errors to users and prompt them to supply a value for the required field via other methods.
We've purposefully avoided prompting users for missing values. Instead, users should supply values through configuration, overrides, or ENVs. If users require the ability to supply values through input during another operation we should wait for feature requests to learn more about the reasons/use case.
Target Release
N/A
Rollback Plan
Changes to Security Controls
Are there any changes to security controls (access controls, encryption, logging) in this pull request? If so, explain.
CHANGELOG entry