Skip to content

Don't write ephemeral outputs to state #37821

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 31, 2025
Merged

Don't write ephemeral outputs to state #37821

merged 1 commit into from
Oct 31, 2025
+74 −42

Conversation

@liamcervante
Copy link
Member

@liamcervante liamcervante commented Oct 28, 2025
edited
Loading

Don't backport until after 1.14 release.

Previously, the line state.SetOutputValue(n.Addr, val, n.Config.Sensitive) was (I think) mistakenly outside of a surrounding conditional. This isn't actually causing any problems at the moment, because ephemeral outputs are actually disallowed in root outputs anyway, and only root outputs are written to state but is still an inconsistency.

Also, Stacks and Test do allow root outputs to be ephemeral but for the moment don't record state files anywhere so also not an issue (yet).

This did discover an issue in Test though, as we do use the state file to check output values when requested which worked "by accident" before. Luckily, there is an easy fix for this which is to update the reference evaluator to use the named values object instead of the state file, and is safe to write ephemeral outputs into the named values since that is never made available externally. So, this PR also updates the GetOutput resolver to use the named values instead of the state file to resolve output references from test files.

Fixes #

Target Release

1.15.x

Rollback Plan

  • If a change needs to be reverted, we will roll out an update to the code within 7 days.

Changes to Security Controls

Are there any changes to security controls (access controls, encryption, logging) in this pull request? If so, explain.

CHANGELOG entry

  • This change is user-facing and I added a changelog entry.
  • This change is not user-facing.

@liamcervante liamcervante requested a review from a team as a code owner October 28, 2025 08:39
@liamcervante liamcervante added no-changelog-needed Add this to your PR if the change does not require a changelog entry 1.14-backport If you add this label to a PR before merging, backport-assistant will open a new PR once merged labels Oct 28, 2025
@liamcervante liamcervante merged commit e44b870 into main Oct 31, 2025
15 of 17 checks passed
@liamcervante liamcervante deleted the liamcervante/ephemeral-outputs-state branch October 31, 2025 08:54
@github-actions github-actions bot mentioned this pull request Oct 31, 2025
Closed
3 tasks
@liamcervante liamcervante mentioned this pull request Oct 31, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jbardin jbardin jbardin approved these changes

Assignees

No one assigned

Labels

1.14-backport If you add this label to a PR before merging, backport-assistant will open a new PR once merged no-changelog-needed Add this to your PR if the change does not require a changelog entry

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@liamcervante @jbardin