tests/provider: Bootstrap d.IsNewResource() semgrep rule and fix some A resources to start #18346
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ghost
added
size/L
|
There are cases where a terraform-provider-aws/aws/resource_aws_api_gateway_vpc_link.go Lines 165 to 173 in 3d8e0fa |
|
@ewbankkit yeah, any |
anGie44
reviewed
Mar 25, 2021
.semgrep.yml
Outdated
Comment on lines
252
to
257
| - aws/resource_aws_b*.go | ||
| - aws/resource_aws_c*.go | ||
| - aws/resource_aws_d*.go | ||
| - aws/resource_aws_e*.go | ||
| - aws/resource_aws_f*.go | ||
| - aws/resource_aws_g*.go |
There was a problem hiding this comment.
are these explicit lines in place of usage like: aws/resource_aws_[b-g]*.go?
There was a problem hiding this comment.
i tried using the range usage locally and the report didn't send back any errors from those files 🤔 so maybe it works?
There was a problem hiding this comment.
It does seem to work! 👍 Will adjust by rebasing this with that change.
anGie44
approved these changes
Mar 25, 2021
… A resources to start Reference: #16796 During resource creation, Terraform CLI expects either a properly applied state for the new resource or an error. To signal proper resource existence, the Terraform Plugin SDK uses an underlying resource identifier (set via `d.SetId(/* some value */)`). If for some reason the resource creation is returned without an error, but also without the resource identifier being set, Terraform CLI will return an error such as: ``` Error: Provider produced inconsistent result after apply When applying changes to aws_sns_topic_subscription.sqs, provider "registry.terraform.io/hashicorp/aws" produced an unexpected new value: Root resource was present, but now absent. This is a bug in the provider, which should be reported in the provider's own issue tracker. ``` A typical pattern in resource implementations in the `Create`/`CreateContext` function is to `return` the `Read`/`ReadContext` function at the end to fill in the Terraform State for all attributes. Another typical pattern in resource implementations in the `Read`/`ReadContext` function is to remove the resource from the Terraform State if the remote system returns an error or status that indicates the remote resource no longer exists by explicitly calling `d.SetId("")` and returning no error. If the remote system is not strongly read-after-write consistent (eventually consistent), this means the resource creation can return no error and also return no resource state. To prevent this type of Terraform CLI error, the resource implementation should also check against `d.IsNewResource()` before removing from the Terraform State and returning no error. If that check is `true`, then remote operation error (or one synthesized from the non-existent status) should be returned instead. While adding this check will not fix the resource implementation to handle the eventually consistent nature of the remote system, the error being returned will be less opaque for operators and code maintainers to troubleshoot. Previously: ``` aws/resource_aws_accessanalyzer_analyzer.go severity:warning rule:helper-schema-ResourceData-SetId-empty-without-IsNewResource-check: Calling `d.SetId("")` should ensure `!d.IsNewResource()` is checked first 115: d.SetId("") 116: return nil aws/resource_aws_acm_certificate_validation.go severity:warning rule:helper-schema-ResourceData-SetId-empty-without-IsNewResource-check: Calling `d.SetId("")` should ensure `!d.IsNewResource()` is checked first 181: d.SetId("") 182: return nil aws/resource_aws_acmpca_certificate.go severity:warning rule:helper-schema-ResourceData-SetId-empty-without-IsNewResource-check: Calling `d.SetId("")` should ensure `!d.IsNewResource()` is checked first 175: d.SetId("") 176: return nil aws/resource_aws_acmpca_certificate_authority.go severity:warning rule:helper-schema-ResourceData-SetId-empty-without-IsNewResource-check: Calling `d.SetId("")` should ensure `!d.IsNewResource()` is checked first 329: d.SetId("") 330: return nil -------------------------------------------------------------------------------- 339: d.SetId("") 340: return nil -------------------------------------------------------------------------------- 371: d.SetId("") 372: return nil -------------------------------------------------------------------------------- 398: d.SetId("") 399: return nil aws/resource_aws_ami.go severity:warning rule:helper-schema-ResourceData-SetId-empty-without-IsNewResource-check: Calling `d.SetId("")` should ensure `!d.IsNewResource()` is checked first 344: d.SetId("") 345: return nil -------------------------------------------------------------------------------- 361: d.SetId("") 362: return nil -------------------------------------------------------------------------------- 383: d.SetId("") 384: return nil aws/resource_aws_ami_launch_permission.go severity:warning rule:helper-schema-ResourceData-SetId-empty-without-IsNewResource-check: Calling `d.SetId("")` should ensure `!d.IsNewResource()` is checked first 81: d.SetId("") 82: return nil ``` Output from acceptance testing: ``` --- FAIL: TestAccAWSAcmCertificateValidation_validationRecordFqdnsWildcardAndRoot (4.02s) # alternate testing account issue --- FAIL: TestAccAWSAcmCertificateValidation_validationRecordFqdnsWildcard (4.11s) # alternate testing account issue --- PASS: TestAccAWSAcmCertificateValidation_basic (92.89s) --- PASS: TestAccAWSAcmCertificateValidation_timeout (25.70s) --- PASS: TestAccAWSAcmCertificateValidation_validationRecordFqdns (101.67s) --- PASS: TestAccAWSAcmCertificateValidation_validationRecordFqdnsEmail (20.07s) --- PASS: TestAccAWSAcmCertificateValidation_validationRecordFqdnsRoot (92.99s) --- PASS: TestAccAWSAcmCertificateValidation_validationRecordFqdnsRootAndWildcard (63.68s) --- PASS: TestAccAWSAcmCertificateValidation_validationRecordFqdnsSan (88.87s) --- PASS: TestAccAwsAcmpcaCertificate_EndEntityCertificate (35.64s) --- PASS: TestAccAwsAcmpcaCertificate_RootCertificate (28.20s) --- PASS: TestAccAwsAcmpcaCertificate_SubordinateCertificate (38.12s) --- PASS: TestAccAwsAcmpcaCertificate_Validity_Absolute (34.39s) --- PASS: TestAccAwsAcmpcaCertificate_Validity_EndDate (35.95s) --- PASS: TestAccAwsAcmpcaCertificateAuthority_basic (22.75s) --- PASS: TestAccAwsAcmpcaCertificateAuthority_DeleteFromActiveState (24.35s) --- PASS: TestAccAwsAcmpcaCertificateAuthority_disappears (14.37s) --- PASS: TestAccAwsAcmpcaCertificateAuthority_Enabled (53.63s) --- PASS: TestAccAwsAcmpcaCertificateAuthority_RevocationConfiguration_CrlConfiguration_CustomCname (120.00s) --- PASS: TestAccAwsAcmpcaCertificateAuthority_RevocationConfiguration_CrlConfiguration_Enabled (95.90s) --- PASS: TestAccAwsAcmpcaCertificateAuthority_RevocationConfiguration_CrlConfiguration_ExpirationInDays (74.81s) --- PASS: TestAccAwsAcmpcaCertificateAuthority_Tags (62.46s) --- PASS: TestAccAWSAMI_basic (63.47s) --- PASS: TestAccAWSAMI_description (76.70s) --- PASS: TestAccAWSAMI_disappears (60.26s) --- PASS: TestAccAWSAMI_EphemeralBlockDevices (63.85s) --- PASS: TestAccAWSAMI_Gp3BlockDevice (46.78s) --- PASS: TestAccAWSAMI_tags (89.70s) --- PASS: TestAccAWSAMILaunchPermission_basic (337.22s) --- PASS: TestAccAWSAMILaunchPermission_Disappears_AMI (354.06s) --- PASS: TestAccAWSAMILaunchPermission_Disappears_LaunchPermission (336.05s) --- PASS: TestAccAWSAMILaunchPermission_Disappears_LaunchPermission_Public (334.96s) ```
…ty-without-IsNewResource-check exclude paths
bflad
force-pushed
the
b-IsNewResource-check-bootstrap
branch
from
d6a9948 to
622a3ac
Compare
|
This has been released in version 3.35.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks! |
|
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks! |
ghost
locked as resolved and limited conversation to collaborators
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Community Note
Reference: #16796
During resource creation, Terraform CLI expects either a properly applied state for the new resource or an error. To signal proper resource existence, the Terraform Plugin SDK uses an underlying resource identifier (set via
d.SetId(/* some value */)). If for some reason the resource creation is returned without an error, but also without the resource identifier being set, Terraform CLI will return an error such as:A typical pattern in resource implementations in the
Create/CreateContextfunction is toreturntheRead/ReadContextfunction at the end to fill in the Terraform State for all attributes. Another typical pattern in resource implementations in theRead/ReadContextfunction is to remove the resource from the Terraform State if the remote system returns an error or status that indicates the remote resource no longer exists by explicitly callingd.SetId("")and returning no error. If the remote system is not strongly read-after-write consistent (eventually consistent), this means the resource creation can return no error and also return no resource state.To prevent this type of Terraform CLI error, the resource implementation should also check against
d.IsNewResource()before removing from the Terraform State and returning no error. If that check istrue, then remote operation error (or one synthesized from the non-existent status) should be returned instead. While adding this check will not fix the resource implementation to handle the eventually consistent nature of the remote system, the error being returned will be less opaque for operators and code maintainers to troubleshoot.Previously:
Output from acceptance testing: