Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix concurrency issue of Terraform provider cache #21805

Open
wants to merge 10 commits into
base: main
Choose a base branch
from

Conversation

lilatomic
Copy link
Contributor

The Terraform provider cache is not concurrency safe.
The worst concurrency bug with the Terraform provider cache is when nonatomic moves result in incorrect hashes in the lockfile which gets pulled into the Pants cache and then poisons it. So we just don't use the provider cache in that case.

I think there's still the possibility that the nonatomic move triggers a problem with a module with a lockfile when the cache is being populated, but at least that won't enter the cache. I think that risk is lower since the files are fetched during init but used later (ex during validate), by which time the copy operation has completed.

TODO:

  • bug where if the named cache doesn't exist yet causes Terraform to have conflicts creating it

fixes #21804

The worst concurrency bug with the Terraform provider cache
is when nonatomic moves result in incorrect hashes in the lockfile
which gets pulled into the Pants cache and then poisons it.
So we just don't use the provider cache in that case.

I think there's still the possibility that the nonatomic move triggers a problem with a module with a lockfile when the cache is being populated,
but at least that won't enter the cache.
I think that risk is lower since the files are fetched during `init` but used later (ex during `validate`),
by which time the copy operation has completed.
@lilatomic lilatomic added category:bugfix Bug fixes for released features backend: Terraform Terraform backend-related issues labels Jan 2, 2025
Terraform downloads providers, while locking providers.
We therefore skip the cache while generating lockfiles
it's not ideal but it works. In the worst case we're the same as a .terraform folder
This will cause it to override anything set in the .terraformrc file
Terraform expects the directory to already exist and will not create it.
@lilatomic lilatomic force-pushed the terraform/fix/cache-concurrency branch from 9d22f89 to e975123 Compare January 19, 2025 04:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
backend: Terraform Terraform backend-related issues category:bugfix Bug fixes for released features
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Terraform cache is not concurrency safe
1 participant