terraform: validate providers' schemas during NewContext #28124
Conversation
This commit adds an attribute-specific InternalValidate which was extracted directly from the block.InternalValidate logic and extended to verify any NestedTypes inside an Attribute. Only one error message changed, since it is now valid to have a cty.NilType for Attribute.Type as long as NestedType is set.
We haven't been able to guarantee that providers are validating their own schemas using (some version of) InternalValidate since providers were split out of the main codebase. This PR adds a call to InternalValidate when provider schemas are initially loaded by NewContext, which required a few other changes: InternalValidate's handling of errors vs multierrors was a little weird - before this PR, it was occasionally returning a non-nil error which only stated "0 errors occurred" - so I addressed that in InternalValidate. I then tested this with a configuration that was using all of our most popular providers, and found that at least on provider had some invalid attribute names, so I commented that particular validation out. Adding that in would be a breaking change which we would have to coordinate with enablement and providers and (especially in this case) make sure it's well communicated to external provider developers. I ran a few very unscientific tests comparing the timing with and without this validation, and it appeared to only cause a sub-second increase.
Codecov Report
|
|
👋 Hi enablement! I don't need a code review from y'all (unless you want to!), but wanted you to see my proposal to run a function similar to |
|
Maybe one nitpick - is it worth surfacing the provider name too? e.g. change this to Pulling the bug report URL out of the Registry would be even cooler, but I think this would at least make it more obvious where exactly to report the bug to? That seems especially relevant when the resource name doesn't hold the prefix of the provider name. |
|
Oh geez, I hadn't realized the provider name isn't in there anywhere! Thank you! Here's the new version. I'll update the top comment, too. I'm not going to include the issues url in this PR since we'd need to do more refactoring than I want to get into right now. We don't have access to the provider installation information at that point, so we wouldn't know if it wasn't a registry provider. It's a great suggestion, though, and we should consider that for future work.
|
|
@mildwonkey I think the Lines 62 to 65 in c6278bb |
|
We generally use the full source for errors and ForDisplay for informational messages only. |
…he message, after the specific error.
|
Here's the most recent version of this error message. I moved the opening paragraph to the end, after the specific error message(s). In this example, I ran
|
| // However, we don't raise this here since it's checked by | ||
| // InternalValidate. | ||
| // This indicates an invalid schema, since it's not valid to define | ||
| // both an attribute and a block type of the same name. We assume |
There was a problem hiding this comment.
I like this adjustment of the comment highlighting the assumption (edit: I like this on multiple comments!)
|
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further. |
ghost
locked as resolved and limited conversation to collaborators
Hello! This PR comes with a lead-in question before you look at the code: should we even do this? I think so, but if there's any controversy I can step back and RFC this. [updated with improved error message]
If agreed, I will have at least one more commit to improve the error message; I didn't want to spend any more time on it before confirming if this is a good idea in the first place.The terraform-plugin-sdk has a lovely series of InternalValidate functions that verify the validity of the providers' schemas during
Configure(entrypoint here). Terraform assumes that this is run for every provider.This is not a safe assumption, unfortunately: for example a provider not using our sdk might not implement something like
InternalValidate. Most of the mistakes that the validation would catch will result in errors in terraform (for e.g.: if an attribute is both required and computed, we'll get an invalid result after apply error). There's a new potential issue that will result in a panic: an attribute with both a non-nilTypeand aNestedType. (this is not yet included inInternalValidate; the sdk doesn't support the newNestedTypes yet).I started down this path because I wanted Terraform to validate the schema too, so we could catch errors at the beginning of a command instead of during plan or apply (apply being the worst case scenario). I tested this change with a config that used all of our top official providers (aws, azure, google, alicloud, oci, k8s), after which I removed one of the original checks that was in
configschema.InternalValidate(only called by our builtin providers), since that caused an error with theociprovider (invalid attribute names - that's a project for another day).If you prefer to review this commit-by-commit, this commentary on each might be helpful:
Attribute.InternalValidatefunction in this commit is incomplete (and buggy) so please ignore that.loadProviderSchemas(called duringterraform.NewContext) and fixes a bug with the error message returned by InternalValidateI don't like this error message as much as the one from the provider, but I am not sure how much I can improve it (I'm sure I can get the specific resource name in!), since in this case the error could be one of a series of diagnostics. I shouldn't just throw everything else away in favor of returning exactly/only the same message as the SDK does (I don't think I'm putting this into words very well; hit me up in slack if you want to talk through it).
Now for the pictures! Here's the current error message from the SDK if a provider has an invalid schema:
Here's the same error, caught by Terraform during NewContext. UPDATED VERSION
It's not as nice, and also notice that the failing resource name is missing: