remove init changes

Author: dsa0x

internal/command/apply_policy_test.go

@@ -6,7 +6,6 @@ package command
 import (
 	"context"
 	"os"
-	"strings"
 	"testing"
 
 	"github.com/hashicorp/hcl/v2"
@@ -141,10 +140,18 @@ func TestApply_WithPolicyDiagnosticsJSON(t *testing.T) {
 		t.Fatalf("bad: %d\n\n%s", code, output.Stdout())
 	}
 
-	all := output.All()
-	if !strings.Contains(all, "policy denied") {
-		t.Fatalf("expected %q in output, got:\n%s", "policy denied", all)
-	}
+	expected := `{"@level":"info","@message":"Terraform 1.15.0-dev","@module":"terraform.ui","terraform":"1.15.0-dev","type":"version","ui":"1.2"}
+{"@level":"info","@message":"data.test_data_source.a: Refreshing...","@module":"terraform.ui","hook":{"resource":{"addr":"data.test_data_source.a","module":"","resource":"data.test_data_source.a","implied_provider":"test","resource_type":"test_data_source","resource_name":"a","resource_key":null},"action":"read"},"type":"apply_start"}
+{"@level":"info","@message":"data.test_data_source.a: Refresh complete after 0s [id=zzzzz]","@module":"terraform.ui","hook":{"resource":{"addr":"data.test_data_source.a","module":"","resource":"data.test_data_source.a","implied_provider":"test","resource_type":"test_data_source","resource_name":"a","resource_key":null},"action":"read","id_key":"id","id_value":"zzzzz","elapsed_seconds":0},"type":"apply_complete"}
+{"@level":"info","@message":"test_instance.foo: Plan to create","@module":"terraform.ui","change":{"resource":{"addr":"test_instance.foo","module":"","resource":"test_instance.foo","implied_provider":"test","resource_type":"test_instance","resource_name":"foo","resource_key":null},"action":"create"},"type":"planned_change"}
+{"@level":"info","@message":"Plan: 1 to add, 0 to change, 0 to destroy.","@module":"terraform.ui","changes":{"add":1,"change":0,"import":0,"remove":0,"action_invocation":0,"operation":"plan"},"type":"change_summary"}
+{"@level":"info","@message":"test_instance.foo: Creating...","@module":"terraform.ui","hook":{"resource":{"addr":"test_instance.foo","module":"","resource":"test_instance.foo","implied_provider":"test","resource_type":"test_instance","resource_name":"foo","resource_key":null},"action":"create"},"type":"apply_start"}
+{"@level":"info","@message":"test_instance.foo: Creation complete after 0s","@module":"terraform.ui","hook":{"resource":{"addr":"test_instance.foo","module":"","resource":"test_instance.foo","implied_provider":"test","resource_type":"test_instance","resource_name":"foo","resource_key":null},"action":"create","elapsed_seconds":0},"type":"apply_complete"}
+{"@level":"error","@message":"Error: policy denied","@module":"terraform.ui","@policy":"true","target_address":"test_instance.foo","policy_diagnostic":{"severity":"error","summary":"policy denied","detail":"","range":{"filename":"main.tf","start":{"line":1,"column":1,"byte":0},"end":{"line":1,"column":31,"byte":30}},"snippet":{"context":null,"code":"resource \"test_instance\" \"foo\" {","start_line":1,"highlight_start_offset":0,"highlight_end_offset":30,"values":[]},"policy_range":{"filename":"policy_file.tfpolicy.hcl","start":{"line":1,"column":1,"byte":0},"end":{"line":2,"column":4,"byte":0}},"policy_snippet":{"context":null,"code":"\t\tresource_policy \"resource_type\" \"policy_name\" {\n\t\t  enforce_attrs {\n\t\t    key = attr.value == \"foo\"\n\t\t  }\n\t\t}\n\t","start_line":1,"highlight_start_offset":1,"highlight_end_offset":100,"values":null}},"policy_metadata":{"enforce_index":1,"policy_set_path":"policy_file.tfpolicy.hcl","policy_name":"resource_policy.foo","file_name":"policy_file.tfpolicy.hcl","enforcement_level":"mandatory"},"result":"DenyResult","type":"policy_diagnostic"}
+{"@level":"info","@message":"Policy Result","@module":"terraform.ui","@policy":"true","policy_address":"resource_policy.foo","policy_metadata":{"policy_set_path":"policy_file.tfpolicy.hcl","policy_name":"resource_policy.foo","file_name":"policy_file.tfpolicy.hcl","enforcement_level":"mandatory"},"result":"DenyResult","target_address":"test_instance.foo","type":"policy_result"}
+{"@level":"info","@message":"Apply complete! Resources: 1 added, 0 changed, 0 destroyed.","@module":"terraform.ui","changes":{"add":1,"change":0,"import":0,"remove":0,"action_invocation":0,"operation":"apply"},"type":"change_summary"}
+{"@level":"info","@message":"Outputs: 0","@module":"terraform.ui","outputs":{},"type":"outputs"}`
+	checkGoldenReferenceStr(t, output, expected)
 }
 
 // This tests that the plan policy diagnostic is superceded by the apply policy evaluation.
@@ -286,12 +293,18 @@ func TestApply_WithPlanPolicyDiagnosticsJSON(t *testing.T) {
 		t.Fatalf("bad: %d\n\n%s", code, output.Stdout())
 	}
 
-	all := output.All()
-	if !strings.Contains(all, "AllowResult") {
-		t.Fatalf("expected %q in output, got:\n%s", "AllowResult", all)
-
-	}
-	if strings.Contains(all, "policy denied") {
-		t.Fatalf("expected apply-time policy result to supersede plan-time denial, got:\n%s", all)
-	}
+	// The resulting json only contains the policy result, because the object that
+	// had a failed policy evaluation during the plan succeeded during apply.
+	// This can occur when more references become known.
+	expected := `{"@level":"info","@message":"Terraform 1.15.0-dev","@module":"terraform.ui","terraform":"1.15.0-dev","type":"version","ui":"1.2"}
+{"@level":"info","@message":"data.test_data_source.a: Refreshing...","@module":"terraform.ui","hook":{"resource":{"addr":"data.test_data_source.a","module":"","resource":"data.test_data_source.a","implied_provider":"test","resource_type":"test_data_source","resource_name":"a","resource_key":null},"action":"read"},"type":"apply_start"}
+{"@level":"info","@message":"data.test_data_source.a: Refresh complete after 0s [id=zzzzz]","@module":"terraform.ui","hook":{"resource":{"addr":"data.test_data_source.a","module":"","resource":"data.test_data_source.a","implied_provider":"test","resource_type":"test_data_source","resource_name":"a","resource_key":null},"action":"read","id_key":"id","id_value":"zzzzz","elapsed_seconds":0},"type":"apply_complete"}
+{"@level":"info","@message":"test_instance.foo: Plan to create","@module":"terraform.ui","change":{"resource":{"addr":"test_instance.foo","module":"","resource":"test_instance.foo","implied_provider":"test","resource_type":"test_instance","resource_name":"foo","resource_key":null},"action":"create"},"type":"planned_change"}
+{"@level":"info","@message":"Plan: 1 to add, 0 to change, 0 to destroy.","@module":"terraform.ui","changes":{"add":1,"change":0,"import":0,"remove":0,"action_invocation":0,"operation":"plan"},"type":"change_summary"}
+{"@level":"info","@message":"test_instance.foo: Creating...","@module":"terraform.ui","hook":{"resource":{"addr":"test_instance.foo","module":"","resource":"test_instance.foo","implied_provider":"test","resource_type":"test_instance","resource_name":"foo","resource_key":null},"action":"create"},"type":"apply_start"}
+{"@level":"info","@message":"test_instance.foo: Creation complete after 0s","@module":"terraform.ui","hook":{"resource":{"addr":"test_instance.foo","module":"","resource":"test_instance.foo","implied_provider":"test","resource_type":"test_instance","resource_name":"foo","resource_key":null},"action":"create","elapsed_seconds":0,"id_key":"id"},"type":"apply_complete"}
+{"@level":"info","@message":"Policy Result","@module":"terraform.ui","@policy":"true","policy_address":"resource_policy.foo","policy_metadata":{"policy_set_path":"policy_file.tfpolicy.hcl","policy_name":"resource_policy.foo","file_name":"policy_file.tfpolicy.hcl","enforcement_level":"mandatory"},"result":"AllowResult","target_address":"test_instance.foo","type":"policy_result"}
+{"@level":"info","@message":"Apply complete! Resources: 1 added, 0 changed, 0 destroyed.","@module":"terraform.ui","changes":{"add":1,"change":0,"import":0,"remove":0,"action_invocation":0,"operation":"apply"},"type":"change_summary"}
+{"@level":"info","@message":"Outputs: 0","@module":"terraform.ui","outputs":{},"type":"outputs"}`
+	checkGoldenReferenceStr(t, output, expected)
 }

internal/command/meta_policy.go

@@ -7,20 +7,11 @@ import (
 	"context"
 	"fmt"
 	"log"
-	"maps"
-	"slices"
 
 	"github.com/apparentlymart/go-versions/versions"
 	"github.com/apparentlymart/go-versions/versions/constraints"
-	"github.com/zclconf/go-cty/cty"
 
-	"github.com/hashicorp/terraform/internal/addrs"
-	"github.com/hashicorp/terraform/internal/configs"
-	"github.com/hashicorp/terraform/internal/initwd"
-	"github.com/hashicorp/terraform/internal/plans"
 	"github.com/hashicorp/terraform/internal/policy"
-	"github.com/hashicorp/terraform/internal/policy/proto"
-	"github.com/hashicorp/terraform/internal/tfdiags"
 	"github.com/hashicorp/terraform/version"
 )
 
@@ -113,123 +104,3 @@ func (c *Meta) PolicyClient(ctx context.Context, policyPaths []string) (policy.C
 	log.Printf("[INFO] backend/operation/policy: Policy engine initialized")
 	return client, diags
 }
-
-// policyModuleInstallHook implements initwd.ModuleInstallHook and
-// enables policy evaluation during module installation.
-type policyModuleInstallHook struct {
-	initwd.ModuleInstallHooksImpl
-	client        policy.Client
-	rootModule    *configs.Module
-	policyResults *plans.PolicyResults
-}
-
-func (h *policyModuleInstallHook) EvaluatePolicy(ctx context.Context, req *configs.ModuleRequest, source, version string) tfdiags.Diagnostics {
-	moduleAddr := req.Path.String()
-	moduleCall := h.rootModule.ModuleCalls[req.Name]
-	result := h.client.EvaluateModule(ctx, policy.EvaluationRequest[*proto.ModuleMetadata]{
-		Attrs:  cty.NilVal,
-		Target: source,
-		Meta: &proto.ModuleMetadata{
-			Address: moduleAddr,
-			Source:  source,
-			Version: version,
-		},
-	})
-
-	if moduleCall != nil && moduleCall.Config != nil {
-		ptr := moduleCall.DeclRange.Ptr()
-		for idx, diag := range result.Diagnostics {
-			result.Diagnostics[idx] = diag.WithLocalRange(ptr)
-		}
-		for idx := range result.Enforcements {
-			result.Enforcements[idx].LocalRange = ptr
-		}
-	}
-	h.policyResults.AddModule(req.Path, result, moduleCall)
-
-	// return a generic error here that the init command returns to the CLI.
-	// The detailed policy diagnostics are included in the policy results
-	// and will be formatted in the CLI output.
-	if len(result.Diagnostics) > 0 && result.Diagnostics.AsTerraformDiags().HasErrors() {
-		return tfdiags.Diagnostics{
-			policy.NewErrorDiagnostic(
-				"Policy evaluation failed",
-				"Module download blocked due to policy violations. Please review other diagnostics for details.",
-				policy.SetupErrorResult,
-			),
-		}
-	}
-	return nil
-}
-
-type providerInstallerHook struct {
-	Reqs          *configs.ModuleRequirements
-	Client        policy.Client
-	moduleMap     map[addrs.Provider]string
-	policyResults *plans.PolicyResults
-	config        *configs.Config
-}
-
-func (p *providerInstallerHook) moduleSources() map[addrs.Provider]string {
-	if p.moduleMap != nil {
-		return p.moduleMap
-	}
-	// We iterate through the module requirements to build a map of providers
-	// to their module source addresses. The first module requirement we encounter
-	// for each provider will be recorded as the provider's module.
-	// This matches how Terraform adds providers to the graph.
-	p.moduleMap = map[addrs.Provider]string{}
-	moduleReqs := []*configs.ModuleRequirements{p.Reqs}
-	for len(moduleReqs) != 0 {
-		moduleReq := moduleReqs[0]
-		for reqProvider := range moduleReq.Requirements {
-			if _, ok := p.moduleMap[reqProvider]; ok {
-				// if we already have a module for this provider, skip
-				continue
-			}
-
-			// The source is nil in the root module, so we use the root module address.
-			if moduleReq.SourceAddr == nil {
-				p.moduleMap[reqProvider] = addrs.RootModule.String()
-			} else {
-				p.moduleMap[reqProvider] = moduleReq.SourceAddr.String()
-			}
-		}
-
-		newReqs := slices.Collect(maps.Values(moduleReq.Children))
-		moduleReqs = append(moduleReqs[1:], newReqs...)
-	}
-	return p.moduleMap
-}
-
-func (p *providerInstallerHook) EvaluatePolicy(ctx context.Context, provider addrs.Provider, version string) policy.EvaluationResponse {
-	// If the client is nil, then policy evaluation is disabled, so we can skip.
-	if p.Client == nil {
-		return policy.EvaluationResponse{}
-	}
-	moduleSources := p.moduleSources()
-	log.Println("[DEBUG] init: evaluating policy for provider", provider.String(), version)
-	result := p.Client.EvaluateProvider(ctx, policy.EvaluationRequest[*proto.ProviderMetadata]{
-		Target: provider.Type,
-
-		// Configuration attributes may not be available during init, so we will not
-		// send any attributes to the policy client.
-		Attrs: cty.NilVal,
-		Meta: &proto.ProviderMetadata{
-			Name:       provider.Type,
-			Namespace:  provider.Namespace,
-			Type:       provider.Type,
-			Source:     provider.String(),
-			ModulePath: moduleSources[provider],
-			Version:    version,
-		},
-	})
-	// We use the root module as the module for provider configs since the version resolution
-	// is ambiguous, and we do not know which module the provider config belongs to.
-	addr := addrs.AbsProviderConfig{Provider: provider, Module: addrs.RootModule}
-	providerConfig := p.config.Module.ProviderConfigs[provider.Type]
-
-	p.policyResults.AddProvider(addr, result, providerConfig)
-
-	return result
-}