fix: have terraform output adhere to authorization w/ cloud

Normally, `terraform output` refreshes and reads the entire state in the command package before pulling output values out of it. This doesn't give Terraform Cloud the opportunity to apply the read state outputs org permission and instead applies the read state versions permission. I decided to expand the state manager interface to provide a separate GetRootOutputValues function in order to give the cloud backend a more nuanced opportunity to fetch just the outputs. This required moving state Refresh/Read code that was previously in the command into the shared backend state as well as the filesystem state packages.
2025-12-25 01:00:16 -05:00 · 2022-03-16 22:47:06 -06:00
parent 5da30c2b65
commit c33c8b013f
16 changed files with 408 additions and 13 deletions
--- a/internal/command/output.go
+++ b/internal/command/output.go
@@ -82,17 +82,12 @@ func (c *OutputCommand) Outputs(statePath string) (map[string]*states.OutputValu
 		return nil, diags
 	}

-	if err := stateStore.RefreshState(); err != nil {
-		diags = diags.Append(fmt.Errorf("Failed to load state: %s", err))
-		return nil, diags
+	output, err := stateStore.GetRootOutputValues()
+	if err != nil {
+		return nil, diags.Append(err)
 	}

-	state := stateStore.State()
-	if state == nil {
-		state = states.NewState()
-	}
-
-	return state.RootModule().OutputValues, nil
+	return output, diags
 }

 func (c *OutputCommand) Help() string {