fix(tfe-v2): accept colon-form key:value cloud-block tags#518
Merged
Conversation
OpenTofu's `cloud { workspaces { tags = [...] } }` only supports the
set-of-string form; the Terraform 1.10+ map form (`tags = { k = "v" }`)
is rejected with "set of string required". Since `=` isn't a legal tag
character, the portable way to select workspaces by an exact label
key+value is the colon form, e.g. `tags = ["repo:tf-aws-core"]`.
The `search[tags]` parser only split tokens on `=`, so a `key:value`
token was treated as a bare key and never matched. Split list-form
tokens on the first `:` or `=` so both map to an exact `key=value`
label filter. The `=` form (go-tfe / direct callers) is unchanged.
Adds parser tests for the colon form, mixed colon/equals/bare tokens,
hyphenated values, and empty-key skipping; updates the migration doc.
The listener image pinned cryptography <48.0.0, so it resolved to 47.0.0, which a newly-published HIGH advisory (GHSA-537c-gmf6-5ccf, vulnerable OpenSSL bundled in the cryptography wheels) flags — fixed in 48.0.1. The main pyproject already allows <49.0.0 (api/runner/migrations get 48.x and pass the scan); only the listener's separate cap blocked the fix. Raise its floor to 48.0.1 to clear the listener image Trivy scan.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Lets you select Terrapod workspaces by an exact label key+value from the
cloudblock with OpenTofu, and clears a newly-disclosed listener-image CVE that was blocking CI.Colon-form cloud-block tags
OpenTofu (verified on v1.12.2) only supports the set-of-string form of
cloud { workspaces { tags = [...] } }; the Terraform 1.10+ map form is rejected at config-validation (set of string required) — tofu's own schema, before any API call. Since=is not a legal tag character, the portable way to select by exact label key+value is the colon form, e.g.tags = ["repo:web-app"].Terrapod's
search[tags]parser only split tokens on=, so akey:valuetoken was treated as a bare key and matched nothing._parse_tag_filtersnow splits each list-form token on the first:or=so both map to an exactkey=valuelabel filter. Bare tags and the=form (go-tfe / direct callers) are unchanged.Bundled security fix
The listener image pinned
cryptography <48.0.0(→ 47.0.0), which a newly-published HIGH advisory (GHSA-537c-gmf6-5ccf) flags — fixed in 48.0.1. Raised the listener floor to>=48.0.1(api/runner/migrations already get 48.x via the main pyproject).