Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: add feature flag and test for force-unlock #25

Merged
merged 2 commits into from
May 1, 2024
Merged

feat: add feature flag and test for force-unlock #25

merged 2 commits into from
May 1, 2024

Conversation

tobikris
Copy link
Member

@tobikris tobikris commented Mar 29, 2023
edited
Loading

Our implementation is currently not able to be used with the force-unlock command of terraform. The reason is that terraform sends n empty body for the unlock request and we expect the lock info.

I added a testcase for this and improved the handling slightly - however there is no clear path to allowing the force-unlock. The lock ID is not even sent by the client - should we just unlock any lock? Unfortunately we cannot send an error message to the client either - so they just see something like

Failed to unlock state: Unexpected HTTP response code 400

This basically means that we currently do not have any possibility to unlock the state besides manipulating the lock backend directly.
What do you think?

See https://github.com/hashicorp/terraform/blob/main/internal/backend/remote-state/http/client.go#L125-L142 for reference.

@tobikris tobikris requested a review from lu1as March 29, 2023 23:51
@tobikris tobikris marked this pull request as draft March 29, 2023 23:52
@lu1as
Copy link
Member

lu1as commented Apr 27, 2024

I guess force-unlock is a important feature and manipulating the lock in the backend is annoying (speaking from experience). My suggestion would be to introduce a feature flag for the native force-unlock command which just ignores the lock ID. Further, I would like to a separate API endpoint for offering a force-unlock with lock ID check. Fixing it upstream (probably in OpenTofu) seems to be no option, as it would break all existing HTTP backend implementations, right?

@lu1as lu1as marked this pull request as ready for review April 27, 2024 12:40
@lu1as lu1as self-assigned this Apr 27, 2024
@lu1as
Copy link
Member

lu1as commented Apr 27, 2024
edited
Loading

@tobikris Do you agree with my approach?

@lu1as lu1as changed the title feat: add test for force-unlock feat: add feature flag and test for force-unlock Apr 27, 2024
@lu1as @tobikris
feat: add force-unlock feature flag
7bf26c9 
The Terraform HTTP backend client does not send a lock ID on force-unlock. This feature flag lets the backend unlock the state even if the lock ID is missing in the request.
@lu1as lu1as merged commit f8e8dae into main May 1, 2024
2 checks passed
@lu1as lu1as deleted the force-unlock branch May 1, 2024 09:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lu1as lu1as lu1as approved these changes

Assignees

@tobikris tobikris

@lu1as lu1as

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@tobikris @lu1as