From 909d540140c79882407a1e39a2d1429debbd96c7 Mon Sep 17 00:00:00 2001
From: Logan Attwood <logan.attwood@gmail.com>
Date: Tue, 8 Apr 2025 12:51:25 -0300
Subject: [PATCH 1/2] Use the `TF_DATA_DIR` env var for temporary files

This (effectively) prevents Terraform from crossing filesystem boundaries when
installing providers and cloudplugins.
---
 internal/cloudplugin/binary.go            | 3 ++-
 internal/providercache/package_install.go | 3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/internal/cloudplugin/binary.go b/internal/cloudplugin/binary.go
index 606741924e71..90c82090a9dd 100644
--- a/internal/cloudplugin/binary.go
+++ b/internal/cloudplugin/binary.go
@@ -129,7 +129,8 @@ func (v BinaryManager) resolveRelease() (*Binary, error) {
 	}
 
 	// Download the archive
-	t, err := os.CreateTemp(os.TempDir(), "terraform-cloudplugin")
+	// if TF_DATA_DIR is unset, it defaults to "", which results in using TMPDIR or /tmp
+	t, err := os.CreateTemp(os.Getenv("TF_DATA_DIR"), "terraform-cloudplugin")
 	if err != nil {
 		return nil, fmt.Errorf("failed to create temp file for download: %w", err)
 	}
diff --git a/internal/providercache/package_install.go b/internal/providercache/package_install.go
index 78de3ad064e8..1a4d26beec72 100644
--- a/internal/providercache/package_install.go
+++ b/internal/providercache/package_install.go
@@ -43,7 +43,8 @@ func installFromHTTPURL(ctx context.Context, meta getproviders.PackageMeta, targ
 		// registry source.
 		return nil, fmt.Errorf("invalid provider download request: %s", err)
 	}
-	f, err := os.CreateTemp("", "terraform-provider")
+	// if TF_DATA_DIR is unset, it defaults to "", which results in using TMPDIR or /tmp
+	f, err := os.CreateTemp(os.Getenv("TF_DATA_DIR"), "terraform-provider")
 	if err != nil {
 		return nil, fmt.Errorf("failed to open temporary file to download from %s: %w", urlStr, err)
 	}

From 8aa977ceb08cb50e6a19ecf6c9bdf1c970b2488a Mon Sep 17 00:00:00 2001
From: Logan Attwood <logan.attwood@gmail.com>
Date: Tue, 8 Apr 2025 13:02:11 -0300
Subject: [PATCH 2/2] Add changelog entry for behaviour change

---
 .changes/v1.13/ENHANCEMENTS-20250408-130152.yaml | 5 +++++
 1 file changed, 5 insertions(+)
 create mode 100644 .changes/v1.13/ENHANCEMENTS-20250408-130152.yaml

diff --git a/.changes/v1.13/ENHANCEMENTS-20250408-130152.yaml b/.changes/v1.13/ENHANCEMENTS-20250408-130152.yaml
new file mode 100644
index 000000000000..c9a057a433b2
--- /dev/null
+++ b/.changes/v1.13/ENHANCEMENTS-20250408-130152.yaml
@@ -0,0 +1,5 @@
+kind: ENHANCEMENTS
+body: Terraform will use the value of TF_DATA_DIR for temporary files when installing providers, gracefully falling back to os.TempDir if it's unset.
+time: 2025-04-08T13:01:52.791835-03:00
+custom:
+    Issue: "36863"