Prevent automatic backend migration during terraform init
#28718
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
When terraform detects a change in the stored backend configuration, it will always attempt to setup a state migration. This often presents a problem for users when the stored configuration is no longer valid in some way, usually due to changes in authentication or accidental misconfiguration. The failure mode here can be quite confusing, as the error may show "Access Denied" or similar for what the user intends to be the current backend, though it is originating from the stored configuration.
Since init is a required part of the workflow, the majority of time that init is executed, migration is not expected. In the cases where it is desired, the user should already be aware of the change because there was a change in the configuration. This would also match the behavior of running terraform in a clean environment every time, as it usually is in automation.
See #18011 for more background.
This PR adds an
init -migrate-state
flag to indicate automatic state migration is desired. This flag will be implied by the-force-copy
flag, since that would indicate state migration is expected. Ifinit
now encounters a change to the stored backend configuration, it will always return an error when neither-reconfigure
or-migrate-state
is supplied. This would not apply to the first time a backend is configured, as there would be no stored configuration to compare, preventing any change in the usual remote state onboarding process.We can also improve the init error output here, and replace some of the legacy output strings with diagnostics, removing the
"Please see the error message above"
errors, which are referring to error output written to stdout. Being able to catch the unexpected change in backend configuration and return an error allows us to now present the user with instructions about how to accept the configuration changes, either through migration of reconfiguration.Running
init
without either of those flags will show