Skip to content

PSS: Add savedStateStore method to Meta #37558

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 14 commits into from
Oct 3, 2025
Merged

PSS: Add savedStateStore method to Meta #37558

merged 14 commits into from
Oct 3, 2025
+243 −2

Conversation

SarahFrench
Copy link
Member

@SarahFrench SarahFrench commented Sep 3, 2025
edited
Loading

Description

This PR adds a new savedStateStore method that's similar to the existing savedBackend method on Meta.

The savedBackend method on Meta returns a backend that's configured using the backend state file's contents and isn't influenced by the current config. This method is used during state migration events in init commands, where Terraform needs to have an instance of the old backend, configured the old way, in order to access state to migrate to the new backend's location.

Note: There is a variant called backendFromState that does a similar job but isn't considered in this PR. This variant is specific to users running init commands with -backend=false as a flag.

This PR adds a new savedStateStore method that's similar to the existing savedBackend method on Meta. The method uses only backend state file data to configure and return a backend.Backend instance made using a provider that implements pluggable state storage.

Target Release

N/A

Rollback Plan

  • If a change needs to be reverted, we will roll out an update to the code within 7 days.

Changes to Security Controls

Are there any changes to security controls (access controls, encryption, logging) in this pull request? If so, explain.

CHANGELOG entry

  • This change is user-facing and I added a changelog entry.
  • This change is not user-facing.

@SarahFrench SarahFrench changed the title Pss/add saved state store method PSS: Add savedStateStore method to Meta Sep 3, 2025
@SarahFrench SarahFrench added the no-changelog-needed Add this to your PR if the change does not require a changelog entry label Sep 3, 2025
SarahFrench
SarahFrench commented Sep 3, 2025
View reviewed changes
@SarahFrench SarahFrench force-pushed the pss/add-saved-state-store-method branch from 03793cc to 678807b Compare September 5, 2025 09:21
@SarahFrench SarahFrench marked this pull request as ready for review September 8, 2025 16:38
@SarahFrench SarahFrench requested a review from a team as a code owner September 8, 2025 16:38
radeksimko
radeksimko previously approved these changes Sep 24, 2025
View reviewed changes
@SarahFrench
Copy link
Member Author

From discussion - will need to remove marks for provider config, but state store config currently is unable to include 'sensitive' etc values so marks currently not possible.

Remove marks and add tests to confirm

I've attempted to write a test that asserts marks are removed, but marks don't appear to be present at the time they're being removed. I assumed that this code that uses the schema (which contains Sensitive attributes) would result in a cty.Value that contains marks. Is there something wrong with my assumptions, or wrong with the code itself?

@SarahFrench SarahFrench requested a review from radeksimko October 2, 2025 16:24
radeksimko
radeksimko previously approved these changes Oct 3, 2025
View reviewed changes
@SarahFrench
Copy link
Member Author

SarahFrench commented Oct 3, 2025
edited
Loading

I sought some guidance about the question of whether marks are relevant here at all.

From what I learned code in Terraform should only adds marks to config values that are used in the presentation layer, i.e. things that would be shown in the terminal output. They would be removed again when persisting to state, etc.

I briefly implemented adding the marks (483f57a) but as there are no diagnostics that would log sensitive config values to the terminal those marks are not used anywhere. So I've updated the PR to no longer add the marks. In the code that uses the RPCs related to configuring providers and state stores we no longer have any code for removing marks as we now know that we're not adding any to those values, regardless of what the matching schema says about sensitivity etc. I've put a comment describing this to the code, as others might make our mistake of blindly assuming marks need to be removed before calling any RPC.

@SarahFrench SarahFrench mentioned this pull request Oct 3, 2025
Draft
3 tasks
@SarahFrench
Copy link
Member Author

Thanks!

@SarahFrench SarahFrench merged commit 312f296 into main Oct 3, 2025
7 checks passed
@SarahFrench SarahFrench deleted the pss/add-saved-state-store-method branch October 3, 2025 17:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@radeksimko radeksimko radeksimko approved these changes

Assignees
No one assigned
Labels
no-changelog-needed Add this to your PR if the change does not require a changelog entry
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@SarahFrench @radeksimko