Skip to content

Comments

PSS: Fix use of reattached providers in init, enable use of reattached providers during plan-apply workflow#38182

Merged
SarahFrench merged 15 commits intomainfrom
pss/fix-use-of-reattached-providers
Feb 18, 2026
Merged

PSS: Fix use of reattached providers in init, enable use of reattached providers during plan-apply workflow#38182
SarahFrench merged 15 commits intomainfrom
pss/fix-use-of-reattached-providers

Conversation

@SarahFrench
Copy link
Member

@SarahFrench SarahFrench commented Feb 14, 2026
edited
Loading

Fixes an issue where a reattached provider was no longer able to be used with PSS.

This PR:

  1. Moves logic protecting against a missing state storage provider into the (Meta).backend method. This makes the protections specific to non-init commands.
  2. Updates the protection logic to only assert whether the state storage provider is present or not, versus returning errors about other missing providers too.
  3. Updates the protection logic to allow use of reattached providers for state storage. It's permissable to not have a lock file if the state storage provider is reattached.
  4. Fixes an issue where creating a plan file panicked if a builtin or reattached provider (unlockable, and without a Version value) are used for state storage.
  5. Adds E2E tests showing that reattached providers can be used for the init-plan-apply workflow with PSS.

Target Release

N/A

Rollback Plan

  • If a change needs to be reverted, we will roll out an update to the code within 7 days.

Changes to Security Controls

Are there any changes to security controls (access controls, encryption, logging) in this pull request? If so, explain.

CHANGELOG entry

  • This change is user-facing and I added a changelog entry.
  • This change is not user-facing.

@SarahFrench
test: Fix stateStoreConfig tests to have correct setup
218e96c
@SarahFrench
fix: Resume allowing use of TF_REATTACH_PROVIDERS to supply the PSS p…
122e91f 
…rovider
@SarahFrench
refactor: Check that the state storage provider is present when begin…
c4055d5 
…ning to initialise a state store for use in a non-init command.

Previously we passed all required providers into backend options to be used within `stateStoreConfig`, which is invoked via (Meta).Backend. The new approach enforces that the provider is present while assembling the backend options passed to (Meta).Backend from (Meta).backend, which is non-init specific. As this code is defending against users running non-init commands before an init, this place feels appropriate and isn't able to impact the init command.
@SarahFrench
fix: Reattached PSS providers should return early when checking locks…
ca7acad 
…, and an empty locks file is only bad if there isn't a reattached PSS provider
@SarahFrench
test: Assert running init with reattached PSS provider is ok
372972d
@SarahFrench
fix: Allow builtin or reattached providers to be used for state store…
d3d915a 
…s when generating a plan file
@SarahFrench
test: Expand test to show using a reattached provider can be used for…
c15c78e 
… a workflow of init, plan with -out, and apply.
@SarahFrench
docs: Link new E2E test to related integration tests
671bb18
@SarahFrench
chore: Formatting
5c41162
@SarahFrench
chore: Replace 'io/ioutil' and format code in unmanaged e2e tests
4350df4
@SarahFrench
test: Fix test - we cannot assert about plan/apply resource change be…
4f1083f 
…ing called as the state storage provider isn't the provider used for resource management here
@SarahFrench
test: Update test to assert when read/write state happens.
943c010
@SarahFrench SarahFrench added the no-changelog-needed Add this to your PR if the change does not require a changelog entry label Feb 14, 2026
@SarahFrench SarahFrench marked this pull request as ready for review February 16, 2026 10:09
@SarahFrench SarahFrench requested a review from a team as a code owner February 16, 2026 10:09
SarahFrench
SarahFrench commented Feb 16, 2026
View reviewed changes
internal/command/init_test.go
Comment on lines 4822 to 4824
t.Run("the error isn't shown if the provider is supplied through reattach config", func(t *testing.T) {
t.Skip("This is implemented as an E2E test: TestPrimary_stateStore_Unmanaged_SeparatePlan")
})
Copy link
Member Author

@SarahFrench SarahFrench Feb 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I could replace this with a code comment but my intention here was to try and create something more eye catching, or something that a person skimming test cases would see more easily.

radeksimko
radeksimko approved these changes Feb 17, 2026
View reviewed changes
internal/command/meta_backend.go
//
// Remember, the (Meta).backend method is used for non-init commands, so we expect dependency locks
// to be present or for the provider to be otherwise available, e.g. via reattach config.
depsDiags := root.StateStore.VerifyDependencySelection(locks, root.ProviderRequirements)
Copy link
Member

@radeksimko radeksimko Feb 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice, I haven't thought of doing the verification this early in my previous PR! Great to avoid all that plumbing that way. 👍🏻

radeksimko
radeksimko requested changes Feb 17, 2026
View reviewed changes
Copy link
Member

@radeksimko radeksimko left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the wording in the failing test may need updating.

Also you might want to preventatively rebase the PR after the copyright header changes. Otherwise I think the PR is aok and happy to approve.

@SarahFrench SarahFrench enabled auto-merge (squash) February 17, 2026 17:34
@SarahFrench
Copy link
Member Author

SarahFrench commented Feb 17, 2026

Thanks for taking a look! That test failure should be resolved now - I've enabled auto-merge (and cleaned up the commit details in there 🙈 )

@SarahFrench SarahFrench merged commit 3db7c75 into main Feb 18, 2026
7 checks passed
@SarahFrench SarahFrench deleted the pss/fix-use-of-reattached-providers branch February 18, 2026 11:53
@SarahFrench SarahFrench mentioned this pull request Feb 18, 2026
Merged
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@radeksimko radeksimko radeksimko approved these changes

Assignees

No one assigned

Labels

no-changelog-needed Add this to your PR if the change does not require a changelog entry

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@SarahFrench @radeksimko