Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

website: Documentation of how provisioners upload files #30297

Merged
merged 1 commit into from
Jan 6, 2022
Merged

website: Documentation of how provisioners upload files #30297

merged 1 commit into from
Jan 6, 2022

Conversation

apparentlymart
Copy link
Contributor

We recently made a change to how provisioners upload files in order to address an unintended remote code execution vector when using SSH, which revealed that we had not previously documented well enough the expected contract for how provisioners upload files to remote systems, and so some users were depending on unintended consequences of the the bug now fixed.

We are retaining the fix on security-related grounds, but this is a good prompt to be clearer in the docs about what exactly Terraform is doing when asked to upload files over SSH and WinRM, so users can understand what is supported and write their configurations accordingly. The provisioners documentation hasn't had a comprehensive edit pass for a long time now, so while in the area I also took the opportunity to fix some idiosyncratic writing that wasn't consistent with our modern "documentation voice", although I tried to stop myself before I got too carried away and so it isn't comprehensive.

This also includes an additional section to the v1.1 upgrade guide, since we apparently neglected to document this intentional breaking change in the first draft of that page.

Of course, provisioners as a whole remain a last resort, and so we're documenting this as hopefully a helpful aid to those who have no other option, and not meaning in any way to recommend their use for any new use-cases.

This closes #30243.

@apparentlymart
website: Documentation of how provisioners upload files
30fdf9d 
We recently made a change to how provisioners upload files in order to
address an unintended remote code execution vector when using SSH, which
revealed that we had not previously documented well enough the expected
contract for how provisioners upload files to remote systems, and so some
users were depending on unintended consequences of the the bug now fixed.

We are retaining the fix on security-related grounds, but this is a good
prompt to be clearer in the docs about what exactly Terraform is doing
when asked to upload files over SSH and WinRM, so users can understand
what is supported and write their configurations accordingly.

This also includes an additional section to the v1.1 upgrade guide, since
we apparently neglected to document this intentional breaking change in
the first draft of that page.

Of course, provisioners as a whole remain a last resort, and so we're
documenting this as hopefully a helpful aid to those who have no other
option, and not meaning in any way to recommend their use for any new
use-cases.
@apparentlymart apparentlymart requested a review from a team January 5, 2022 20:29
@apparentlymart apparentlymart self-assigned this Jan 5, 2022
@apparentlymart apparentlymart added the 1.1-backport If you add this label to a PR before merging, backport-assistant will open a new PR once merged label Jan 5, 2022
@apparentlymart apparentlymart added this to the v1.1.3 milestone Jan 5, 2022
@apparentlymart
Copy link
Contributor Author

As usual, the "website-link-check" is not yet updated to work with the new website stack and so it just always fails without checking anything useful. I did my best to manually verify that all of the in-page fragment links I added here are valid.

jbardin
jbardin approved these changes Jan 6, 2022
View reviewed changes
Copy link
Member

@jbardin jbardin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM (assuming the links actually do resolve correctly)

@apparentlymart apparentlymart merged commit 087c2f0 into main Jan 6, 2022
@teamterraform teamterraform mentioned this pull request Jan 6, 2022
Merged
@github-actions
Copy link

github-actions bot commented Feb 6, 2022

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active contributions.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Feb 6, 2022
@xiehan xiehan deleted the doc-provisioner-scp branch July 22, 2024 12:11
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@jbardin jbardin jbardin approved these changes

Assignees

@apparentlymart apparentlymart

Labels
1.1-backport If you add this label to a PR before merging, backport-assistant will open a new PR once merged documentation enhancement
Projects
None yet
Milestone
v1.1.3
Development

Successfully merging this pull request may close these issues.

Regression in 1.1: script_path in remote-exec no longer uploads file to ~ paths
2 participants
@apparentlymart @jbardin