This allows child processes launched with local-exec to contribute to the same trace that OpenTofu started.
Signed-off-by: ogormans-deptstack <sean.ogorman@deptagency.com>
In particular this corrects the error of "an library" instead of
"a library", but I also made some other adjustments once I had an excuse
to re-review my own earlier writing.
Signed-off-by: Martin Atkins <mart@degeneration.co.uk>
Advisories in the Go vulnerability database often identify specific Go
packages or even specific symbols within Go packages that the advisory
applies to.
Therefore when we are evaluating the impact of an advisory on OpenTofu we
often need to ask the question "what parts of OpenTofu are using that
affected package?"
This new tool is a small wrapper around the "go list" command which takes
a package path of interest and returns all of the packages in OpenTofu's
package import graph that directly import the given package. The results
can include both OpenTofu's own packages and packages from upstream modules
or the Go standard library.
Signed-off-by: Martin Atkins <mart@degeneration.co.uk>
Our policy for handling advisories in upstream dependencies was previously
documented only in the RFC where we adopted it, which is hard to find for
anyone not already familiar with it.
We'd like for SECURITY.md to be the one place someone needs to look when
they want to learn about our security policy, so this introduces a short
summary of the main consequences of the policy from that RFC and then links
to the full RFC in case a reader would like to learn the reasons behind
those decisions.
Signed-off-by: Martin Atkins <mart@degeneration.co.uk>
The previous commit already removed WinRM support and made it return a
relatively-terse error message, but during the v1.13 release series we'd
like to use a more helpful error message that includes a link to
Microsoft's documentation about enabling an OpenSSH server to use as an
alternative.
This commit is designed to be reverted during the v1.14 period so that
we'll just fall back on the error message already implemented in
"package communicator". This new message needs to be implemented outside
of the communicator abstraction because that old API doesn't support
returning diagnostics, but it's not worth the risk to refactor it just for
an error message we're intending to remove in the next release series
anyway.
Signed-off-by: Martin Atkins <mart@degeneration.co.uk>
The upstream libraries we use to implement this feature are in various
states of unmaintained-ness where we've not been able to upgrade them
beyond the old versions we're currently using without them no longer
working well together.
Therefore we previously made this connection type produce a deprecation
warning in OpenTofu v1.12, and now we're making it produce an error instead
and so we can remove all of our code that was calling in to those
dependencies.
Although this is a breaking change, we're justifying it under the
"external dependencies" pragmatic exception in our compatibility promises:
external software has changed in a way that makes it no longer viable to
offer this feature. Modern Windows has built-in support for running an
OpenSSH server, and so we expect that most folks who were previously
relying on WinRM should be able to migrate to using SSH instead.
Signed-off-by: Martin Atkins <mart@degeneration.co.uk>
The "terraform_version" property of the JSON state format (intentionally
misnamed for backward-compatibility with our predecessor) changes each time
we make a new release, so we'll compare it with the currently-expected
version number instead of with a hard-coded value.
Signed-off-by: Martin Atkins <mart@degeneration.co.uk>
The "main" branch now represents v1.13 development, because v1.12 has
diverged into its own maintenance branch.
Signed-off-by: Martin Atkins <mart@degeneration.co.uk>
This is to give provisioners access to trace span metadata, which we'll make use of in later commits.
Signed-off-by: ogormans-deptstack <sean.ogorman@deptagency.com>
This is just a minor release fixing a number of bugs that don't seem to
have affected OpenTofu, and so this is just a routine upgrade in
preparation for the v1.12.0 release.
Signed-off-by: Martin Atkins <mart@degeneration.co.uk>
The version we were previously using has an incorrect hard-coded URL
template for downloading Go versions that are not yet in the action's own
manifest file, which means that it can't successfully install any Go
version that hasn't been added to the manifest yet.
This new version is updated to use an endpoint on https://go.dev/ that is
set up to redirect to whatever the correct location is, which was
recommended by a member of the Go team in actions/setup-go#665 and so is
presumably intended to remain valid.
Signed-off-by: Martin Atkins <mart@degeneration.co.uk>
All of the exported querying methods of Expander are supposed to hold a
read lock whenever they Expander.exps, but this particular method was
missing those calls and so it could potentially race with calls that write
new expansions into the data structure.
This seems to be quite hard to hit in practice because it can only arise
if you have an "orphan" resource instance whose node happens to execute
concurrently with the expansion node for a module or resource, but
the race detector can sometimes catch it when executing
TestContext2Apply_providerModuleIteration/apply_orphan_destroy from
"package tofu".
Signed-off-by: Martin Atkins <mart@degeneration.co.uk>
This is just a routine upgrade.
The upstream changes are mainly just robustness improvements, although
there is a notable fix in allowing "s3::http://..." addresses when the
specified hostname is not an official AWS hostname, whereas before the
S3 getter would just ignore the URL scheme and always use "https" behind
the scenes.
Signed-off-by: Martin Atkins <mart@degeneration.co.uk>
The comment here was trying to say that we don't need to _deep-copy_
cty.Value values, but it wasn't clear about that and so it seemed weird
to have a comment saying that copying isn't needed right before a call to
a function called "Copy".
This updates the comment to be more explicit, and also takes the
opportunity to simplify to use maps.Clone instead of maps.Copy, since we
have no need for the intermediate empty map we were previously creating
prior to the Copy call.
Signed-off-by: Martin Atkins <mart@degeneration.co.uk>
We already changed these files considerably in opentofu/opentofu#3671, so
we'll take this opportunity to modernize the rest of the code while the
likelihood of successful clean backporting from this file is pretty low
anyway.
In the case of instance_object_src_test.go some additional editing was
required because uint64Ptr becomes unused when we adopt the built-in "new"
function, which would cause this file to fail the dead code lint.
Signed-off-by: Martin Atkins <mart@degeneration.co.uk>
