command/init: Add a new flag -lockfile=readonly
#27630
Conversation
Codecov Report
|
|
What about a flag to ignore it vs. not update it? |
minamijoyo
force-pushed
the
init-lockfile-readonly
branch
from
edc341a
to
755a48d
Compare
|
An option to 'ignore' would be ideal for CI/CD systems as it somewhat avoids the multi-arch issue... |
|
@wyardley @richardj-bsquare Sorry for the plug but I believe you should submit separate feature requests/pull requests your yours. Let's make separate things separate. Also, changes in this PR should be awesome foundations for your future enhancements. I find this feature pretty solid and valid on its own 👍 |
|
@apparentlymart Could you review this? |
There was a problem hiding this comment.
Thanks for following up on this, @minamijoyo! Sorry for the delay in reviewing.
This looks good to me, with some minor notes inline from reading the code. I'd like to test it out locally and get a second opinion from someone else on @hashicorp/terraform-core.
command/init.go
Outdated
| @@ -767,6 +773,12 @@ func (c *InitCommand) getProviders(config *configs.Config, state *states.State, | |||
| // it's the smallest change relative to what came before it, which was | |||
| // a hidden JSON file specifically for tracking providers.) | |||
| if !newLocks.Equal(previousLocks) { | |||
| // if readonly mode, suppress changes | |||
| if flagLockfile == "readonly" { | |||
| log.Println("[DEBUG] init: detected changing dependencies, but suppressed by readonly mode") | |||
There was a problem hiding this comment.
I think we may want to output a warning to the UI here rather than a debug log. Maybe returning a warning diagnostic? For example:
diags = diags.Append(tfdiags.Sourceless(
tfdiags.Warning,
"Provider lock file not updated",
"Changes to the provider selections were detected, but not saved in the .terraform.lock.hcl file. To record these selections, run "terraform init" without the "-lockfile=readonly" flag.,
))| @@ -157,6 +157,7 @@ You can modify `terraform init`'s plugin behavior with the following options: | |||
| You can use `-plugin-dir` as a one-time override for exceptional situations, | |||
| such as if you are testing a local build of a provider plugin you are | |||
| currently developing. | |||
| - `-lockfile=MODE` Set dependency lockfile mode. Currently only "readonly" is valid. | |||
There was a problem hiding this comment.
It would be great to get some more detail on why you'd want to use this flag, and what the consequences are.
There was a problem hiding this comment.
I tested this locally, and while the happy path worked, I found one problem. From Martin's comment on the original issue:
I think the main requirement for that option is that installation can succeed as long as all packages can be verified with information already recorded in the lock file. The option would disable Terraform from updating the file to record any new information it learned (such as a hash using a new scheme) but Terraform would still rely on and check against the information already recorded.
I don't think this requirement is met with this PR. Here's what I did:
- Initialized a configuration depending on only
hashicorp/aws, and committed the lockfile - Deleted the
.terraformcache directory - Added a requirement for
hashicorp/randomto the configuration terraform init -lockfile=readonly
- Expected: error due to missing lockfile entry for
hashicorp/random - Actual: initialization succeeded without error
Unless I'm misunderstanding that requirement, I think we'd need to fix this issue before merge, so I'm marking this as "request changes" for now.
Fixes hashicorp#27506 Add a new flag `-lockfile=readonly` to `terraform init`. It would be useful to allow us to suppress dependency lockfile changes explicitly. The type of the `-lockfile` flag is string rather than bool, leaving room for future extensions to other behavior variants. The readonly mode suppresses lockfile changes, but should verify checksums against the information already recorded. It should conflict with the `-upgrade` flag. Note: In the original use-case described in hashicorp#27506, I would like to suppress adding zh hashes, but a test code here suppresses adding h1 hashes because it's easy for testing.
minamijoyo
force-pushed
the
init-lockfile-readonly
branch
from
a9a8201
to
e1af3d6
Compare
|
@alisdair Thank you for reviewing! |
There was a problem hiding this comment.
Thanks @minamijoyo, this looks good to me! I made a quick copy edit to one of the diagnostics to keep with our normal UI text house style, just to save another review round-trip.
Fixes #27506 Add a new flag `-lockfile=readonly` to `terraform init`. It would be useful to allow us to suppress dependency lockfile changes explicitly. The type of the `-lockfile` flag is string rather than bool, leaving room for future extensions to other behavior variants. The readonly mode suppresses lockfile changes, but should verify checksums against the information already recorded. It should conflict with the `-upgrade` flag. Note: In the original use-case described in #27506, I would like to suppress adding zh hashes, but a test code here suppresses adding h1 hashes because it's easy for testing. Co-authored-by: Alisdair McDiarmid <alisdair@users.noreply.github.com>
|
@alisdair Thanks! |
Fixes hashicorp#27506 Add a new flag `-lockfile=readonly` to `terraform init`. It would be useful to allow us to suppress dependency lockfile changes explicitly. The type of the `-lockfile` flag is string rather than bool, leaving room for future extensions to other behavior variants. The readonly mode suppresses lockfile changes, but should verify checksums against the information already recorded. It should conflict with the `-upgrade` flag. Note: In the original use-case described in hashicorp#27506, I would like to suppress adding zh hashes, but a test code here suppresses adding h1 hashes because it's easy for testing. Co-authored-by: Alisdair McDiarmid <alisdair@users.noreply.github.com>
command/init: Add a new flag `-lockfile=readonly` (v0.15 backport of #27630)
|
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further. |
ghost
locked as resolved and limited conversation to collaborators
Fixes #27506
Add a new flag
-lockfile=readonlytoterraform init. It would be useful to allow us to suppress dependency lockfile changes explicitly. The type of the-lockfileflag is string rather than bool, leaving room for future extensions to other behavior variants.The readonly mode suppresses lockfile changes, but should verify checksums against the information already recorded. It should conflict with the
-upgradeflag.Note: In the original use-case described in #27506, I would like to suppress adding zh hashes, but a test code here suppresses adding h1 hashes because it's easy for testing.