Skip to content

PSS: Validate the backend or state store configurations described by plan files #37948

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 16 commits into
base: pss/update-how-operations-use-backend-config-state
Choose a base branch
from
Draft

PSS: Validate the backend or state store configurations described by plan files #37948

wants to merge 16 commits into from
+1,554 −142

Conversation

@SarahFrench
Copy link
Member

@SarahFrench SarahFrench commented Nov 28, 2025
edited
Loading

This PR is blocked by review of #37946, #37956, and #37957

Follows #37248

This PR adds validation to stop Terraform writing or using a planfile that has incomplete descriptions of the backend or state store configuration.

Target Release

N/A

Rollback Plan

  • If a change needs to be reverted, we will roll out an update to the code within 7 days.

Changes to Security Controls

Are there any changes to security controls (access controls, encryption, logging) in this pull request? If so, explain.

CHANGELOG entry

  • This change is user-facing and I added a changelog entry.
  • This change is not user-facing.

@SarahFrench SarahFrench added the no-changelog-needed Add this to your PR if the change does not require a changelog entry label Nov 28, 2025
@github-actions

This comment was marked as outdated.

Sign in to view
@SarahFrench SarahFrench force-pushed the pss/update-how-operations-use-backend-config-state branch from 94d4233 to 9a018e9 Compare November 28, 2025 12:25
@SarahFrench SarahFrench mentioned this pull request Nov 28, 2025
Closed
3 tasks
@SarahFrench SarahFrench force-pushed the pss/update-how-operations-use-backend-config-state branch from 9a018e9 to d16ebe6 Compare November 28, 2025 12:47
@SarahFrench SarahFrench force-pushed the pss/validate-backend-state-store-config-in-plans branch from b44b360 to c6922ef Compare November 28, 2025 12:55
@SarahFrench SarahFrench force-pushed the pss/update-how-operations-use-backend-config-state branch from d16ebe6 to f795158 Compare November 28, 2025 16:16
@SarahFrench
refactor: Rename Meta's backendState field to backendConfigState
f03346b 
This helps with navigating ambiguity around the word backend. The new name should indicate that the value represents a `backend` block, not a more general interpretation of what a backend is.
@SarahFrench
fix: Only set backendConfigState to synthetic object if it's nil due …
fb35d84 
…to a lack of data. Don't change it if pluggable state storage is in use.
@SarahFrench
feat: Enable recording a state store's details in an Operation, and u…
d0f8834 
…sing that data when creating a plan file.
@SarahFrench
fix: Include provider config when writing a plan file using pluggable…
aaffae2 
… state storage
@SarahFrench
fix: Having backendConfigState be nil may be valid, but it definite…
59a8f83 
…ly isn't valid for `stateStoreConfigState` to be nil

I'm about 90% sure that backendConfigState being nil is ok <_<
@SarahFrench
test: Add integration test showing that a plan command creates a plan…
9243396 
… file with the expected state_store configuration data
@SarahFrench
feat: Allow reading state store configuration from a planfile and usi…
44b0a6e 
…ng it to prepare a Local backend that uses the state store
@SarahFrench
test: Assert that we can get and use state store configuration from a…
708e3b2 
… plan file
@SarahFrench
test: Add integration test showing that an apply command can use a pl…
360bcf7 
…an file to configure and use a state store
@SarahFrench
test: Add E2E test showing pluggable state storage being used with th…
225f16f 
…e full init-plan-apply workflow
@SarahFrench
feat: A plan file will report the state storage provider among its re…
945c10e 
…quired providers, if PSS is in use.

See the code comment added in this commit. This addition does not impact an apply command as the missing provider will be detected before this code is executed. However I'm making this change so that the method is still accurate is being able to return a complete list of providers needed by the plan.
@SarahFrench
fix: Include error messages when there is a problem parsing provider …
6a44102 
…or state store config when getting a backend from a planfile
@SarahFrench
test: Update test helper to set Workspace in planfile description of …
a61fe8e 
…Backend, so the planfile's Backend struct isn't flagged as empty.
@SarahFrench
test: Update tests so that all fields in the plan's representation of…
e990a27 
… the Backend config are set
@SarahFrench
feat: Add Validate method for asserting that a plan's description o…
549b21e 
…f a backend or state store is complete

The alternative approach would be to change the existing `Backend` field in the `Plan` struct to be a pointer. I'm open to either option, but the approach of using an `Empty` method matches existing work in the `workdir` package when inspecting the backend state file, and that seems a similar use-case to inspecting the plan file.
@SarahFrench
feat: Make Terraform assert that the description of a backend or stat…
e3f20b8 
…e store is complete when reading or writing a plan file
@SarahFrench SarahFrench force-pushed the pss/validate-backend-state-store-config-in-plans branch from c6922ef to e3f20b8 Compare December 2, 2025 13:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

no-changelog-needed Add this to your PR if the change does not require a changelog entry

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@SarahFrench