validate policy paths

Author: dsa0x

internal/command/init.go

@@ -56,19 +56,7 @@ func (c *InitCommand) Run(args []string) int {
 
 	view := views.NewInit(initArgs.ViewType, c.View)
 
-	loader, err := c.initConfigLoader()
-	if err != nil {
-		diags = diags.Append(err)
-		view.Diagnostics(diags)
-		return 1
-	}
-
-	var varDiags tfdiags.Diagnostics
-	c.VariableValues, varDiags = initArgs.Vars.CollectValues(func(filename string, src []byte) {
-		loader.Parser().ForceFileSource(filename, src)
-	})
-	diags = diags.Append(varDiags)
-
+	diags = diags.Append(c.Validate(initArgs))
 	if diags.HasErrors() {
 		view.Diagnostics(diags)
 		return 1
@@ -294,6 +282,23 @@ func (c *InitCommand) initBackend(ctx context.Context, root *configs.Module, ini
 	return back, true, diags
 }
 
+func (c *InitCommand) Validate(args *arguments.Init) (diags tfdiags.Diagnostics) {
+	loader, err := c.initConfigLoader()
+	if err != nil {
+		diags = diags.Append(err)
+		return diags
+	}
+
+	var varDiags tfdiags.Diagnostics
+	c.VariableValues, varDiags = args.Vars.CollectValues(func(filename string, src []byte) {
+		loader.Parser().ForceFileSource(filename, src)
+	})
+	diags = diags.Append(varDiags)
+
+	diags = diags.Append(validatePolicyPaths(args.PolicyPaths, c.AllowExperimentalFeatures))
+	return diags
+}
+
 func (c *InitCommand) earlyValidateBackend(root *configs.Module, initArgs *arguments.Init) (diags tfdiags.Diagnostics) {
 	switch {
 	case root.StateStore != nil && root.Backend != nil:
@@ -517,18 +522,18 @@ func (c *InitCommand) getProvidersFromConfig(ctx context.Context, config *config
 
 	// Determine which required providers are already downloaded, and download any
 	// new providers or newer versions of providers
-	configLocks, installErr := inst.EnsureProviderVersions(ctx, previousLocks, reqs, mode, installerHook)
+	configLocks, err := inst.EnsureProviderVersions(ctx, previousLocks, reqs, mode, installerHook)
 	if ctx.Err() == context.Canceled {
 		diags = diags.Append(fmt.Errorf("Provider installation was canceled by an interrupt signal."))
-		view.Diagnostics(diags) // TODO: Why is the output viewed here?
+		view.Diagnostics(diags)
 		return true, nil, SafeInitActionInvalid, nil, diags
 	}
-	if installErr != nil {
-		// The errors captured in "installErr" should be redundant with what we
+	if err != nil {
+		// The errors captured in "err" should be redundant with what we
 		// received via the InstallerEvents callbacks above, so we'll
 		// just return those as long as we have some.
 		if !diags.HasErrors() {
-			diags = diags.Append(installErr)
+			diags = diags.Append(err)
 		}
 
 		return true, nil, SafeInitActionInvalid, nil, diags

internal/command/init_run.go

@@ -40,7 +40,6 @@ func (c *InitCommand) run(initArgs *arguments.Init, view views.Init) int {
 	c.Meta.input = initArgs.InputEnabled
 	c.Meta.targetFlags = initArgs.TargetFlags
 	c.Meta.compactWarnings = initArgs.CompactWarnings
-	c.Meta.policyPaths = initArgs.PolicyPaths
 
 	// Copying the state only happens during backend migration, so setting
 	// -force-copy implies -migrate-state

internal/providercache/installer.go

@@ -64,10 +64,6 @@ type Installer struct {
 	// from the users machine via CLI configuration, so Terraform does
 	// not need to worry about installing them.
 	devOverrideTypes map[addrs.Provider]struct{}
-
-	// hook is an optional hook whose methods may be called for each provider
-	// version that is being installed or upgraded.
-	hook InstallerHook
 }
 
 // NewInstaller constructs and returns a new installer with the given target
@@ -180,10 +176,6 @@ func (i *Installer) SetDevOverrideTypes(types map[addrs.Provider]struct{}) {
 	i.devOverrideTypes = types
 }
 
-func (i *Installer) SetHook(hook InstallerHook) {
-	i.hook = hook
-}
-
 // EnsureProviderVersions compares the given provider requirements with what
 // is already available in the installer's target directory and then takes
 // appropriate installation actions to ensure that suitable packages
@@ -371,16 +363,13 @@ NeedProvider:
 		}
 
 		for _, hook := range hooks {
-			// For each needed provider, we will send the version
-			// and provider to the hook for policy evaluation.
-			// If the hook returns an error, we'll abort the installation.
-			// We do this before checking the lock file, so that we also
-			// evaluate policy for providers that are already installed.
+			// For each needed provider, we will report the selected version
+			// to the hooks. If a hook returns an error, we'll abort the installation.
+			// We do this for all providers, including already installed ones.
+			// Their installation cannot be prevented, but the hook can still
+			// return an error to indicate that the provider version is not
+			// acceptable.
 			err := hook.ProviderVersionSelected(ctx, provider, version.String())
-
-			// return a generic error here that the init command returns to the CLI.
-			// The detailed policy diagnostics are included in the policy results
-			// and will be formatted in the CLI output.
 			if err != nil {
 				return nil, err
 			}