Commit1ef78b6

blink-so[bot]

and

kylecarbs

committed

feat: warn when .terraform.lock.hcl is modified during terraform init

This change addresses issue#18237 by adding checksum validation for.terraform.lock.hcl files before and after running terraform init.When the lock file is modified during init, it indicates that providerhashes may be missing for the target architecture, leading to unnecessaryprovider downloads and slower provisioning.Changes:- Add calculateFileChecksum() helper function using SHA256- Add getTerraformLockFilePath() helper function- Modify init() function to calculate checksums before/after terraform init- Log warning when lock file changes with actionable guidance- Add unit tests for new functionalityThe warning message guides users to regenerate the lock file on the sameOS/architecture as their Coder instance to improve performance.Co-authored-by: kylecarbs <7122116+kylecarbs@users.noreply.github.com>

1 parent7d8b994 commit1ef78b6Copy full SHA for 1ef78b6

File tree

2 files changed

+89

-0

lines changed

provisioner/terraform
- executor.go
- executor_internal_test.go

2 files changed

+89

-0

lines changed

`‎provisioner/terraform/executor.go`

Lines changed: 46 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -4,6 +4,8 @@ import (`
`4`	`4`	`"bufio"`
`5`	`5`	`"bytes"`
`6`	`6`	`"context"`
	`7`	`+"crypto/sha256"`
	`8`	`+"encoding/hex"`
`7`	`9`	`"encoding/json"`
`8`	`10`	`"fmt"`
`9`	`11`	`"io"`
`@@ -222,6 +224,10 @@ func (e *executor) init(ctx, killCtx context.Context, logr logSink) error {`
`222`	`224`	`e.mut.Lock()`
`223`	`225`	`defere.mut.Unlock()`
`224`	`226`
	`227`	`+// Calculate checksum of .terraform.lock.hcl before running terraform init`
	`228`	`+lockFilePath:=getTerraformLockFilePath(e.workdir)`
	`229`	`+preInitChecksum:=calculateFileChecksum(lockFilePath)`
	`230`	`+`
`225`	`231`	`outWriter,doneOut:=logWriter(logr,proto.LogLevel_DEBUG)`
`226`	`232`	`errWriter,doneErr:=logWriter(logr,proto.LogLevel_ERROR)`
`227`	`233`	`deferfunc() {`
`@@ -242,6 +248,31 @@ func (e *executor) init(ctx, killCtx context.Context, logr logSink) error {`
`242`	`248`	`}`
`243`	`249`
`244`	`250`	`err:=e.execWriteOutput(ctx,killCtx,args,e.basicEnv(),outWriter,errBuf)`
	`251`	`+`
	`252`	`+// Check if .terraform.lock.hcl was modified after terraform init`
	`253`	`+postInitChecksum:=calculateFileChecksum(lockFilePath)`
	`254`	`+ifpreInitChecksum!=""&&postInitChecksum!=""&&preInitChecksum!=postInitChecksum {`
	`255`	`+// Log warning about lock file changes`
	`256`	`+warningMsg:="WARNING: .terraform.lock.hcl was modified during 'terraform init'. "+`
	`257`	`+"This may indicate that provider hashes are missing for your target architecture. "+`
	`258`	`+"Consider regenerating the lock file on the same OS/architecture as your Coder instance "+`
	`259`	`+"to improve provisioning performance and avoid unnecessary provider downloads."`
	`260`	`+`
	`261`	`+// Write warning to both debug and error streams to ensure visibility`
	`262`	`+ifoutWriter!=nil {`
	`263`	`+_,_=outWriter.Write([]byte(warningMsg+"\n"))`
	`264`	`+}`
	`265`	`+iferrWriter!=nil {`
	`266`	`+_,_=errWriter.Write([]byte(warningMsg+"\n"))`
	`267`	`+}`
	`268`	`+`
	`269`	`+e.logger.Warn(ctx,"terraform lock file modified during init",`
	`270`	`+slog.F("lock_file_path",lockFilePath),`
	`271`	`+slog.F("pre_init_checksum",preInitChecksum),`
	`272`	`+slog.F("post_init_checksum",postInitChecksum),`
	`273`	`+)`
	`274`	`+}`
	`275`	`+`
`245`	`276`	`varexitErr*exec.ExitError`
`246`	`277`	`ifxerrors.As(err,&exitErr) {`
`247`	`278`	`ifbytes.Contains(errBuf.b.Bytes(), []byte("text file busy")) {`
`@@ -259,6 +290,21 @@ func getStateFilePath(workdir string) string {`
`259`	`290`	`returnfilepath.Join(workdir,"terraform.tfstate")`
`260`	`291`	`}`
`261`	`292`
	`293`	`+funcgetTerraformLockFilePath(workdirstring)string {`
	`294`	`+returnfilepath.Join(workdir,".terraform.lock.hcl")`
	`295`	`+}`
	`296`	`+`
	`297`	`+// calculateFileChecksum calculates the SHA256 checksum of a file.`
	`298`	`+// Returns empty string if file doesn't exist or can't be read.`
	`299`	`+funccalculateFileChecksum(filePathstring)string {`
	`300`	`+data,err:=os.ReadFile(filePath)`
	`301`	`+iferr!=nil {`
	`302`	`+return""`
	`303`	`+}`
	`304`	`+hash:=sha256.Sum256(data)`
	`305`	`+returnhex.EncodeToString(hash[:])`
	`306`	`+}`
	`307`	`+`
`262`	`308`	`// revive:disable-next-line:flag-parameter`
`263`	`309`	`func (eexecutor)plan(ctx,killCtx context.Context,env,vars []string,logrlogSink,metadataproto.Metadata) (*proto.PlanComplete,error) {`
`264`	`310`	`ctx,span:=e.server.startTrace(ctx,tracing.FuncName())`

`‎provisioner/terraform/executor_internal_test.go`

Lines changed: 43 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -2,6 +2,8 @@ package terraform`
`2`	`2`
`3`	`3`	`import (`
`4`	`4`	`"encoding/json"`
	`5`	`+"os"`
	`6`	`+"path/filepath"`
`5`	`7`	`"testing"`
`6`	`8`
`7`	`9`	`tfjson"github.com/hashicorp/terraform-json"`
`@@ -173,3 +175,44 @@ func TestOnlyDataResources(t *testing.T) {`
`173`	`175`	`})`
`174`	`176`	`}`
`175`	`177`	`}`
	`178`	`+`
	`179`	`+funcTestGetTerraformLockFilePath(t*testing.T) {`
	`180`	`+t.Parallel()`
	`181`	`+`
	`182`	`+workdir:="/tmp/test"`
	`183`	`+expected:=filepath.Join(workdir,".terraform.lock.hcl")`
	`184`	`+got:=getTerraformLockFilePath(workdir)`
	`185`	`+require.Equal(t,expected,got)`
	`186`	`+}`
	`187`	`+`
	`188`	`+funcTestCalculateFileChecksum(t*testing.T) {`
	`189`	`+t.Parallel()`
	`190`	`+`
	`191`	`+// Test with non-existent file`
	`192`	`+checksum:=calculateFileChecksum("/non/existent/file")`
	`193`	`+require.Equal(t,"",checksum)`
	`194`	`+`
	`195`	`+// Test with actual file`
	`196`	`+tmpDir:=t.TempDir()`
	`197`	`+testFile:=filepath.Join(tmpDir,"test.txt")`
	`198`	`+testContent:="test content for checksum"`
	`199`	`+`
	`200`	`+err:=os.WriteFile(testFile, []byte(testContent),0644)`
	`201`	`+require.NoError(t,err)`
	`202`	`+`
	`203`	`+checksum1:=calculateFileChecksum(testFile)`
	`204`	`+require.NotEmpty(t,checksum1)`
	`205`	`+require.Len(t,checksum1,64)// SHA256 hex string length`
	`206`	`+`
	`207`	`+// Same content should produce same checksum`
	`208`	`+checksum2:=calculateFileChecksum(testFile)`
	`209`	`+require.Equal(t,checksum1,checksum2)`
	`210`	`+`
	`211`	`+// Different content should produce different checksum`
	`212`	`+err=os.WriteFile(testFile, []byte("different content"),0644)`
	`213`	`+require.NoError(t,err)`
	`214`	`+`
	`215`	`+checksum3:=calculateFileChecksum(testFile)`
	`216`	`+require.NotEqual(t,checksum1,checksum3)`
	`217`	`+require.Len(t,checksum3,64)`
	`218`	`+}`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit1ef78b6

File tree

2 files changed

2 files changed

`‎provisioner/terraform/executor.go`

`‎provisioner/terraform/executor_internal_test.go`

0 commit comments