New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use safe or force workspace delete for cloud backend #31949
Use safe or force workspace delete for cloud backend #31949
Conversation
@@ -109,7 +109,7 @@ type Backend interface { | |||
// DeleteWorkspace cannot prevent deleting a state that is in use. It is | |||
// the responsibility of the caller to hold a Lock for the state manager | |||
// belonging to this workspace before calling this method. | |||
DeleteWorkspace(name string) error | |||
DeleteWorkspace(name string, force bool) error |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I dont love adding magic boolean arguments to interfaces, especially when it is only used in one of the backends. I can justify it here because "force deleting" is an existing concept for workspace deleting, which just hasnt been handled by the backends up until now.
However, any suggestions on how to pass this force vs safe deletion boolean to the cloud backend are welcome
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this is what we like to see. All backends should share the same interface, even if they don't all behave exactly the same.
@@ -582,7 +582,7 @@ func (b *Remote) WorkspaceNamePattern() string { | |||
} | |||
|
|||
// DeleteWorkspace implements backend.Enhanced. | |||
func (b *Remote) DeleteWorkspace(name string) error { | |||
func (b *Remote) DeleteWorkspace(name string, _ bool) error { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am not 100% sure if it makes sense to also add usage of the Safe Delete API to the remote
backend (instead of just the cloud
backend). I have not in this PR so far, but input is appreciated
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think it's strictly necessary to backport your changes from cloud to backend "remote" but it depends on how many terraform users you'd like to reach with this feature.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
My instinct then is to leave remote
as it is, since:
- we recommend
cloud
instead - the CLI already does some safe vs force delete checks, this change is just some additional guards. So having the
remote
backend continue to fallback to the existing force-delete APIs seems 👌
|
||
var err error | ||
|
||
isSafeDeleteSupported := s.workspace.Permissions.CanForceDelete != nil |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You can temporarily update go.mod with the branch version of go-tfe to test this while it's a PR. Just be sure to get go-tfe merged and released first and reset the go.mod dependency to the new version before merging this PR.
} else { | ||
err = s.tfeClient.Workspaces.SafeDelete(context.Background(), s.organization, s.workspace.Name) | ||
} | ||
|
||
if err != nil && err != tfe.ErrResourceNotFound { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You can see here that we ignore 404 errors when deleting the workspace, and I'm wondering if we should do the same thing when reading the workspace before deleting it in internal/cloud/backend.go...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That is very interesting...I guess if the workspace cant be read, we would have failed earlier in the command code here
Im not really sure what makes the most sense for this interface in isolation, but for consistency I am happy to change it to return successfully if the workspace cant be found once we are attempting the delete
cf761dd
to
0a940f8
Compare
946a213
to
4c6ddc1
Compare
4c6ddc1
to
c28aaa2
Compare
c28aaa2
to
0ae6eff
Compare
Reminder for the merging maintainer: if this is a user-visible change, please update the changelog on the appropriate release branch. |
I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active contributions. |
Updates the cloud backend to call either workspace safe-delete or workspace force-delete
These are new concepts to the Terraform Cloud workspace deletion APIs (proposed documentation here). Workspace safe delete will only remove a workspace if it does not have resources under management, to help prevent users from accidentally leaving managed resources orphaned from Terraform.
If a CLI user does not pass the
-force
option toterraform workspace delete
, the cloud backend will attempt to use the new workspace safe-delete API (if we can detect that the TFC/E version contains this API). Otherwise it will continue using the existing API, which functions as a force delete.The CLI already has this concept of force workspace deletion, and will not remove a workspace if it detects it is managing resources (unless the user passes the
-force
flag). So this just acts as an extra set of guardrails around workspace deletion without the-force
flag, since the safe delete API can make some additional checks around whether the workspace in question is locked, or if its state is in the process of being updated.Relevant RFC
This depends on the go-tfe change here
Draft CHANGELOG entry
ENHANCEMENTS
When using the cloud backend
terraform workspace delete
will now perform additional checks to ensure that the workspace being deleted is not managing state, such as checking if the workspace is locked or if its state is in the process of being updated, unless the-force
option is passed.