New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Build official releases with Go 1.18 #30768
Conversation
There is no special reason to do this; we just typically adopt the latest minor release of the Go toolchain for each new minor release of Terraform CLI so that we can make use of its new library and language features gradually over the subsequent patch releases. Adopting early will give us more time to exercise this and catch any wrinkles before the Terraform CLI v1.2 release.
Reminder for the merging maintainer: if this is a user-visible change, please update the changelog on the appropriate release branch. |
I see some chatter on golang-nuts suggesting that the enhancement to use platform APIs for TLS cert verification on macOS is effectively subjecting Go programs to stricter certificate verification rules than before. This seems to be an intentional decision on Apple's part and so arguably our new behavior here is more correct in that we're being consistent with the general security posture of macOS, and so I don't suggest that we try to patch around this immediately, but I'm leaving this note here in case we get stronger feedback during prerelease testing that identifies a pervasive problem with this change. For example, if the certificates used by the blob storage services used by any of our various state storage backends are classified as invalid by these new rules then that would severely impact all Terraform users on macOS in a way that they are not empowered to resolve -- they cannot change macOS, and they cannot change the certificates of the third-party cloud service they depend on. It is not clear to me at this time what exactly we might do to work around the macOS certificate verification rules. If we learn of a high-impact problem caused by this change then we will need to navigate that as best we can with whatever information and workarounds are available at that time. Since this is a change that will effect the whole Go ecosystem, by that time we may be able to build on solutions adopted by our peers on other teams which maintain CLI tools intended for use on macOS written in Go. If you (the reader of this comment) have found yourself here after seeing the error like "certificate is not standards compliant" from Terraform v1.2 or later when interacting with a module registry, other remote module source, provider registry, or state storage backend, and if you are running Terraform on macOS, then you may need to switch to a more modern certificate on the service you are accessing. If the relevant remote service is run by a third-party such that your own organization would not be able to fix it, please let us know by opening a new bug report issue and sharing all of the relevant context requested in our issue template. As a first preference we are likely to try to influence the vendor to issue certificates compatible with the macOS certificate verification rules (which would therefore be accepted by other software on macOS too), but in cases of broad impact across many users we may consider mitigations within Terraform itself as a temporary workaround. If you see this error in a context related to a request made by a provider plugin -- for example, if the error message refers to a particular Thanks! |
The Go team is tracking the macOS-specific TLS certificate verification concern (see my previous comment) in golang/go#51991. |
There is no special reason to do this; we just typically adopt the latest minor release of the Go toolchain for each new minor release of Terraform CLI so that we can make use of its new library and language features gradually over the subsequent patch releases.
Adopting early will give us more time to exercise this and catch any wrinkles before the Terraform CLI v1.2 release.
As usual, there are a few Go-level release notes that will translate into Terraform CLI release notes due to Terraform relying on various Go features for its work.
This time the passed-on changes/improvements are relatively modest, since Go 1.18 changes are mostly additive and changes to existing functionality we use is either motivated by security (the various TLS-related changes below) or correcting incorrect behavior with invalid input that Terraform already rejects upstream at parsing time (such as non-UTF8-encoded strings).
The following are my proposed additional changelog entries which I'd add after merging this:
UPGRADE NOTES:
ENHANCEMENTS: