Run terraform init as part of check goal

[lilatomic]

Many Terraform tools require Providers and Modules to be installed with terraform init for them to work properly. This includes terraform validate which is the backbone of the current check goal for Terraform.
This is the simplest way of installing these. It makes no effort to actually understand what modules are used, and defers entirely to the terraform init. As the providers will be downloaded as one block, this might take up a lot of space in the pants cache (I'm not sure tho).
We could do smarter things. Terraform has separate was of listing the required providers; saving lockfiles of them; and downloading the providers. (We could also parse the version specs from the Terraform sources themselves and make lockfiles ourselves.) That sounds like a cool thing to do, but definitely more complicated than bundling the dependencies into a Digest. I think it's worth getting this support working since check is not functional for any Terraform sources which use Providers or Modules, which is probably most of them. This will also allow us to integrate more Terraform tools. I think the improvements to Provider fetching are unlikely to resolve real problems. Terraform deployments usually pull in all their sibling files, contrasting with Python where siblings might not be imported; therefore, we are unlikely to see large gains in separating the downloaded Providers.

resolves #18489

[ndellosa95]

Hey @lilatomic - thanks for handling this issue, I was about to start looking into it myself and saw you had already done so. 😄

Could you also run the script to take care of this issue too? I tried pulling in your changes to use with terraform 1.2.9 on an Intel Mac and am getting the following error:

IntrinsicError: Error hashing/capturing URL fetch response: Downloaded file was larger than expected digest

[benjyw]

There's a conversation here about why the tf backend doesn't run init today. Specifically, tf init modifies external state, and so is side-effectful.

Can you explain here how this change handles that issue?

[benjyw]

This is (dir, Digest of .terraform and .terraform.lock.hcl for that dir) ? Worth documenting, as that is not at all intuitive.

[benjyw]

Also, are these files in fact relocatable/cacheable? Are they remote-cacheable?

[lilatomic]

they're definitely cacheable. My concern is on the grain of the cache and the cache key. Currently I think they'd all be considered 1 big digest, and the cache key would be all TF files requested. Both can be made smaller. I talk a bit more about it in the comment at the head of the MR. We can extract the list of required providers and individually download them (we can then either have terraform install from these local sources or emplace them ourselves). Terraform also supports lockfiles, which we could in some way leverage.
I'm pretty sure they could be remote-cached as well.
The combined size can be quite large, ours are around 200M (I think the big cloud Providers are most of it)

[benjyw]

Isn't that a terraform-level problem though? I.e., wouldn't that be an issue even without Pants?

[lilatomic]

Pants might introduce another way for it to be a problem, in that it looks like it selects multiple terraform_modules and includes them all in the same (single) partition. Essentially the same as if Python didn't have the concept of resolves: it would be possible for different Python sources to depend on different versions of dependencies.
I think terraform does the right thing here because we use the -chdir argument, so even though all the sources are included terraform is only looking in the correct subdir. I'm not sure though

[benjyw]

Gotcha. I suppose we could run tf init on each directory in a separate process? But that can be a followup investigation.

[benjyw]

terraform will write these relative to the chdir, but Pants doesn't know about chdir so won't it try to capture them relative to the sandbox root, and then not find them? So don't you need to prefix the directory here?

[lilatomic]

They're prefixed inside of TerraformProcess. The logic for me was that terraform interprets all of the other file paths as relative to the chdir. Your comment reminded me that there's a better way than banging it together with pathlib, I'll look into that

[benjyw]

Gotcha, makes sense.

[lilatomic]

Specifically, tf init modifies external state, and so is side-effectful.

I think init's interaction with state can be split into:

• updating the lockfile
• downloading/upgrading providers
• upgrading the version of the tfstate (maybe)

This MR gets around each of those by:

• ignoring the lockfile (there is also the -lockfile=readonly mode to not update it when we do start including it)
• sandboxing (providers downloaded by a terraform init outside of pants aren't visible in the sandbox
• ignoring the local state (sandboxed) or remote state (ignoring the backend config). (I can't positively say that's valid in all cases, as I don't know much about backends, but I believe it is)

I think it's therefore safe to run init in this context.

[benjyw]

Should I merge this, @lilatomic ?

[lilatomic]

yeah, should be good to go. I was thinking of the "relocated_files" target, which doesn't help here. Hopefully I'll be able to put in the work for making the logic of this process smarter