terraform icon indicating copy to clipboard operation
terraform copied to clipboard
verified publisher icon hashicorp

Update `backendbase` to use empty strings from configuration, instead of looking for fallback or ENV values

Open SarahFrench opened this issue 1 month ago • 1 comments

Fixes https://github.com/hashicorp/terraform/issues/37846

In https://github.com/hashicorp/terraform/pull/37225 (a rebased version of https://github.com/hashicorp/terraform/pull/34990) the azure backend was updated to use the new backendbase package instead of the legacy SDK. This was the last backend migrated over.

Now, the structs representing remote-state backend implementations embed backendbase.Base (example in azure). If the remote-state backend doesn't implement methods like PrepareConfig then the implementation of that method in backendbase.Base is used instead.

In the case of the original issue reported about the Azure backend, the azure backend doesn't implement PrepareConfig itself and instead uses the implementation in backendbase.Base. In that method there is logic that didn't accurately mimic how the legacy SDK handled attributes that were explicitly set to an empty string in the configuration:

backend "foobar" {
   value = ""
}

Instead of using the empty string value like the legacy SDK, the new backendbase package looks for any fallback values defined for that attribute in backend's SDKLikeDefaults values; default values defined in the schema or names of environment variables to use. The PrepareConfig method returns data about how the backend should be configured, a combo of config, schema defaults, and ENV values, and then Terraform Core then uses that value to configure the backend.

This PR

  • Updates the backendbase package to detect non-null, string attributes that are set to "" and uses that value, reverting behaviour back to match the legacy SDK.
    • This means the data received by Terraform Core from PrepareConfig still includes the empty string, and that'll be used to configure the backend.
  • Adds a test that asserts neither fallback default values or ENVs are used when an attribute is set to an empty string.
  • Updates existing test.

Target Release

1.15.x

Rollback Plan

  • [x] If a change needs to be reverted, we will roll out an update to the code within 7 days.

Changes to Security Controls

Are there any changes to security controls (access controls, encryption, logging) in this pull request? If so, explain.

CHANGELOG entry

  • [x] This change is user-facing and I added a changelog entry.
  • [ ] This change is not user-facing.

SarahFrench avatar Nov 05 '25 13:11 SarahFrench

FYI @hashicorp/terraform-azure :

The reported error is not specific to the Azure backend, but I explored adding a test that shows empty strings are used specifically in the azure backend. I've made a PR here (https://github.com/hashicorp/terraform/pull/37878) that contains a test but I don't expect to/want to merge it as there was a small change needed in the remote-state/azure Backend struct needed to enable the test.

SarahFrench avatar Nov 05 '25 13:11 SarahFrench