inject provider installer hook

Author: dsa0x

internal/command/init.go

@@ -392,7 +392,7 @@ const (
 // The dependency lock file itself isn't updated here.
 //
 // Calling code is responsible for validating inputs to this method, e.g. mutually exclusive flags.
-func (c *InitCommand) getProvidersFromConfig(ctx context.Context, config *configs.Config, upgrade bool, pluginDirs []string, flagLockfile string, view views.Init, installerHook *providerInstallerHook) (output bool, resultingLocks *depsfile.Locks, safeInitAction SafeInitAction, authResult *getproviders.PackageAuthenticationResult, diags tfdiags.Diagnostics) {
+func (c *InitCommand) getProvidersFromConfig(ctx context.Context, config *configs.Config, upgrade bool, pluginDirs []string, flagLockfile string, view views.Init, installerHook *providerPolicyHook) (output bool, resultingLocks *depsfile.Locks, safeInitAction SafeInitAction, authResult *getproviders.PackageAuthenticationResult, diags tfdiags.Diagnostics) {
 	if config == nil {
 		return false, nil, SafeInitActionNotRelevant, nil, diags
 	}
@@ -515,7 +515,6 @@ func (c *InitCommand) getProvidersFromConfig(ctx context.Context, config *config
 		ProvidersFetched:     providersFetchedCallback(view),
 	}
 	ctx = evts.OnContext(ctx)
-	inst.SetHook(installerHook)
 
 	mode := providercache.InstallNewProvidersOnly
 	if upgrade {
@@ -531,7 +530,7 @@ func (c *InitCommand) getProvidersFromConfig(ctx context.Context, config *config
 
 	// Determine which required providers are already downloaded, and download any
 	// new providers or newer versions of providers
-	configLocks, installErr := inst.EnsureProviderVersions(ctx, previousLocks, reqs, mode)
+	configLocks, installErr := inst.EnsureProviderVersions(ctx, previousLocks, reqs, mode, installerHook)
 	if ctx.Err() == context.Canceled {
 		diags = diags.Append(fmt.Errorf("Provider installation was canceled by an interrupt signal."))
 		view.Diagnostics(diags) // TODO: Why is the output viewed here?
@@ -590,7 +589,7 @@ func (c *InitCommand) getProvidersFromConfig(ctx context.Context, config *config
 // The calling code is assumed to have already called getProvidersFromConfig, which is used to
 // supply the configLocks argument.
 // The dependency lock file itself isn't updated here.
-func (c *InitCommand) getProvidersFromState(ctx context.Context, state *states.State, configReqs providerreqs.Requirements, configLocks *depsfile.Locks, pluginDirs []string, view views.Init, installerHook *providerInstallerHook) (output bool, resultingLocks *depsfile.Locks, diags tfdiags.Diagnostics) {
+func (c *InitCommand) getProvidersFromState(ctx context.Context, state *states.State, configReqs providerreqs.Requirements, configLocks *depsfile.Locks, pluginDirs []string, view views.Init, installerHook *providerPolicyHook) (output bool, resultingLocks *depsfile.Locks, diags tfdiags.Diagnostics) {
 	ctx, span := tracer.Start(ctx, "install providers from state")
 	defer span.End()
 
@@ -695,7 +694,6 @@ func (c *InitCommand) getProvidersFromState(ctx context.Context, state *states.S
 		ProvidersFetched:     providersFetchedCallback(view),
 	}
 	ctx = evts.OnContext(ctx)
-	inst.SetHook(installerHook)
 
 	mode := providercache.InstallNewProvidersOnly
 
@@ -705,7 +703,7 @@ func (c *InitCommand) getProvidersFromState(ctx context.Context, state *states.S
 	//      would remove the effects of version constraints from the config.
 	// > Any validation of CLI flag usage is already done in getProvidersFromConfig
 
-	newLocks, err := inst.EnsureProviderVersions(ctx, inProgressLocks, reqs, mode)
+	newLocks, err := inst.EnsureProviderVersions(ctx, inProgressLocks, reqs, mode, installerHook)
 	if ctx.Err() == context.Canceled {
 		diags = diags.Append(fmt.Errorf("Provider installation was canceled by an interrupt signal."))
 		view.Diagnostics(diags)

internal/command/init_run.go

@@ -248,7 +248,7 @@ func (c *InitCommand) run(initArgs *arguments.Init, view views.Init) int {
 		return 1
 	}
 	policyResults := plans.NewPolicyResults()
-	providerHook := &providerInstallerHook{
+	providerHook := &providerPolicyHook{
 		Client:        client,
 		Reqs:          reqsByModule,
 		policyResults: policyResults,

internal/command/meta_policy.go

@@ -159,15 +159,15 @@ func (h *policyModuleInstallHook) EvaluatePolicy(ctx context.Context, req *confi
 	return nil
 }
 
-type providerInstallerHook struct {
+type providerPolicyHook struct {
 	Reqs          *configs.ModuleRequirements
 	Client        policy.Client
 	moduleMap     map[addrs.Provider]string
 	policyResults *plans.PolicyResults
 	config        *configs.Config
 }
 
-func (p *providerInstallerHook) moduleSources() map[addrs.Provider]string {
+func (p *providerPolicyHook) moduleSources() map[addrs.Provider]string {
 	if p.moduleMap != nil {
 		return p.moduleMap
 	}
@@ -199,10 +199,13 @@ func (p *providerInstallerHook) moduleSources() map[addrs.Provider]string {
 	return p.moduleMap
 }
 
-func (p *providerInstallerHook) EvaluatePolicy(ctx context.Context, provider addrs.Provider, version string) policy.EvaluationResponse {
+// ProviderVersionSelected satisfies the [providers.InstallerHook] interface.
+// When a provider version is selected, this method performs policy evaluation for the provider,
+// and aborts the installation if the policy evaluation fails.
+func (p *providerPolicyHook) ProviderVersionSelected(ctx context.Context, provider addrs.Provider, version string) error {
 	// If the client is nil, then policy evaluation is disabled, so we can skip.
 	if p.Client == nil {
-		return policy.EvaluationResponse{}
+		return nil
 	}
 	moduleSources := p.moduleSources()
 	log.Println("[DEBUG] init: evaluating policy for provider", provider.String(), version)
@@ -227,5 +230,5 @@ func (p *providerInstallerHook) EvaluatePolicy(ctx context.Context, provider add
 
 	p.policyResults.AddProvider(addr, result, providerConfig)
 
-	return result
+	return fmt.Errorf("Provider download failed due to policy violations. Please review other diagnostics for details.")
 }

internal/providercache/installer.go

@@ -17,7 +17,6 @@ import (
 	copydir "github.com/hashicorp/terraform/internal/copy"
 	"github.com/hashicorp/terraform/internal/depsfile"
 	"github.com/hashicorp/terraform/internal/getproviders"
-	"github.com/hashicorp/terraform/internal/policy"
 )
 
 // Installer is the main type in this package, representing a provider installer
@@ -59,10 +58,6 @@ type Installer struct {
 	// lifecycle for, and therefore does not need to worry about the
 	// installation of.
 	unmanagedProviderTypes map[addrs.Provider]struct{}
-
-	// hook is an optional hook whose methods may be called for each provider
-	// version that is being installed or upgraded.
-	hook InstallerHook
 }
 
 // NewInstaller constructs and returns a new installer with the given target
@@ -166,10 +161,6 @@ func (i *Installer) SetUnmanagedProviderTypes(types map[addrs.Provider]struct{})
 	i.unmanagedProviderTypes = types
 }
 
-func (i *Installer) SetHook(hook InstallerHook) {
-	i.hook = hook
-}
-
 // EnsureProviderVersions compares the given provider requirements with what
 // is already available in the installer's target directory and then takes
 // appropriate installation actions to ensure that suitable packages
@@ -189,7 +180,7 @@ func (i *Installer) SetHook(hook InstallerHook) {
 // failures then those notifications will be redundant with the ones included
 // in the final returned error value so callers should show either one or the
 // other, and not both.
-func (i *Installer) EnsureProviderVersions(ctx context.Context, locks *depsfile.Locks, reqs getproviders.Requirements, mode InstallMode) (*depsfile.Locks, error) {
+func (i *Installer) EnsureProviderVersions(ctx context.Context, locks *depsfile.Locks, reqs getproviders.Requirements, mode InstallMode, hooks ...InstallerHook) (*depsfile.Locks, error) {
 	errs := map[addrs.Provider]error{}
 	evts := installerEventsForContext(ctx)
 
@@ -352,19 +343,19 @@ NeedProvider:
 			return nil, err
 		}
 
-		if i.hook != nil {
+		for _, hook := range hooks {
 			// For each needed provider, we will send the version
 			// and provider to the hook for policy evaluation.
 			// If the hook returns an error, we'll abort the installation.
 			// We do this before checking the lock file, so that we also
 			// evaluate policy for providers that are already installed.
-			result := i.hook.EvaluatePolicy(ctx, provider, version.String())
+			err := hook.ProviderVersionSelected(ctx, provider, version.String())
 
 			// return a generic error here that the init command returns to the CLI.
 			// The detailed policy diagnostics are included in the policy results
 			// and will be formatted in the CLI output.
-			if len(result.Diagnostics) > 0 && result.Diagnostics.AsTerraformDiags().HasErrors() {
-				return nil, fmt.Errorf("Provider download failed due to policy violations. Please review other diagnostics for details.")
+			if err != nil {
+				return nil, err
 			}
 		}
 
@@ -806,7 +797,10 @@ func (err InstallerError) Error() string {
 }
 
 type InstallerHook interface {
-	// EvaluatePolicy is called for each provider version that is being installed
-	// or upgraded, allowing the caller to implement custom policy evaluation.
-	EvaluatePolicy(ctx context.Context, provider addrs.Provider, version string) policy.EvaluationResponse
+	// ProviderVersionSelected is called after the installer has selected a provider
+	// version and before it decides whether install the selected package, either from
+	// the local cache or from a remote registry.
+	//
+	// Returning an error aborts installation.
+	ProviderVersionSelected(ctx context.Context, provider addrs.Provider, version string) error
 }