Build official releases with Go 1.18

[apparentlymart]

There is no special reason to do this; we just typically adopt the latest minor release of the Go toolchain for each new minor release of Terraform CLI so that we can make use of its new library and language features gradually over the subsequent patch releases.

Adopting early will give us more time to exercise this and catch any wrinkles before the Terraform CLI v1.2 release.

---

As usual, there are a few Go-level release notes that will translate into Terraform CLI release notes due to Terraform relying on various Go features for its work.

This time the passed-on changes/improvements are relatively modest, since Go 1.18 changes are mostly additive and changes to existing functionality we use is either motivated by security (the various TLS-related changes below) or correcting incorrect behavior with invalid input that Terraform already rejects upstream at parsing time (such as non-UTF8-encoded strings).

The following are my proposed additional changelog entries which I'd add after merging this:

UPGRADE NOTES:

• The official Linux packages for the v1.2 series now require Linux kernel version 2.6.32 or later.
• When making outgoing HTTPS or other TLS connections as a client, Terraform now requires the server to support TLS v1.2. TLS v1.0 and v1.1 are no longer supported. Any safely up-to-date server should support TLS 1.2, and browsers have required it since 2020. (Note: this applies only to requests made by Terraform CLI itself, such as provider/module installation and state storage requests. Terraform provider plugins include their own TLS clients which may have different requirements.)
• When making outgoing HTTPS or other TLS connections as a client, Terraform will no longer accept CA certificates signed using the SHA-1 hash function. Publicly trusted Certificate Authorities have not issued SHA-1 certificates since 2015.

ENHANCEMENTS:

• When running on macOS, Terraform will now use platform APIs to validate certificates presented by TLS (HTTPS) servers. This may change exactly which root certificates Terraform will accept as valid.

[github-actions]

Reminder for the merging maintainer: if this is a user-visible change, please update the changelog on the appropriate release branch.

[apparentlymart]

I see some chatter on golang-nuts suggesting that the enhancement to use platform APIs for TLS cert verification on macOS is effectively subjecting Go programs to stricter certificate verification rules than before.

This seems to be an intentional decision on Apple's part and so arguably our new behavior here is more correct in that we're being consistent with the general security posture of macOS, and so I don't suggest that we try to patch around this immediately, but I'm leaving this note here in case we get stronger feedback during prerelease testing that identifies a pervasive problem with this change.

For example, if the certificates used by the blob storage services used by any of our various state storage backends are classified as invalid by these new rules then that would severely impact all Terraform users on macOS in a way that they are not empowered to resolve -- they cannot change macOS, and they cannot change the certificates of the third-party cloud service they depend on.

It is not clear to me at this time what exactly we might do to work around the macOS certificate verification rules. If we learn of a high-impact problem caused by this change then we will need to navigate that as best we can with whatever information and workarounds are available at that time. Since this is a change that will effect the whole Go ecosystem, by that time we may be able to build on solutions adopted by our peers on other teams which maintain CLI tools intended for use on macOS written in Go.

---

If you (the reader of this comment) have found yourself here after seeing the error like "certificate is not standards compliant" from Terraform v1.2 or later when interacting with a module registry, other remote module source, provider registry, or state storage backend, and if you are running Terraform on macOS, then you may need to switch to a more modern certificate on the service you are accessing.

If the relevant remote service is run by a third-party such that your own organization would not be able to fix it, please let us know by opening a new bug report issue and sharing all of the relevant context requested in our issue template. As a first preference we are likely to try to influence the vendor to issue certificates compatible with the macOS certificate verification rules (which would therefore be accepted by other software on macOS too), but in cases of broad impact across many users we may consider mitigations within Terraform itself as a temporary workaround.

If you see this error in a context related to a request made by a provider plugin -- for example, if the error message refers to a particular resource, data, or provider block, you should report the problem in the provider's own repository instead. Terraform provider plugins are separate executables with their own TLS/HTTPS clients and so Terraform Core -- the provider-agnostic code in this repository -- does not control the TLS certificate verification performed by provider plugins and so we will not be able to make any changes in this repository to improve such a situation.

Thanks!

[apparentlymart]

The Go team is tracking the macOS-specific TLS certificate verification concern (see my previous comment) in golang/go#51991.