Fix shims

[blampe]

Problem

When running go list -m in a provider upgraded to use bridge v3.93.1 you will get this error:

go: github.com/hashicorp/terraform-provider-tls@v0.0.0: invalid version: unknown revision v0.0.0
go: github.com/hashicorp/terraform-provider-tls/shim@v0.0.0-00010101000000-000000000000: invalid version: unknown revision 000000000000
go: github.com/terraform-providers/terraform-provider-random/randomshim@v0.0.0-00010101000000-000000000000: invalid version: unknown revision 000000000000

Ian called this out in #2473 (comment). My response there is true in the sense that providers do still build just fine -- go build, go test etc. don't touch these unused modules. The caveat I overlooked is that some IDE integrations (or more specifically any tooling built around go list) will try to resolve all of these direct and indirect dependencies.

When we consolidated modules, we moved replace directives for these shims out of the test module and into the root module.

Option 0: Bring back all the modules

I beg you not to do this but I do want to call it out as an option if the team would prefer it. I outline two more "idiomatic" options below.

Option 1: Handle replacements in the consumer

As a reminder, the replace directive only applies to the module where it's defined -- primarily to keep Go's minimal version selection algorithm simple and fast, but also to give downstream modules complete control of their builds. Hence replace is best suited for temporary overrides, for example to point at a local branch.

Permanent replace directives do happen and we use them quite a lot, though. If a module truly needs a permanent replace to work properly (which, to be clear, should be avoided!), its consumers need to mirror the same replace.

In other words, Option 1 is to not make any changes. Downstream projects can resolve this issue by copying these lines into go.mod:

replace github.com/hashicorp/terraform-provider-tls/shim => github.com/pulumi/pulumi-terraform-bridge/v3/pkg/pf/tests/internal/tlsshim v0.0.0-20241025174446-f865647b85ed

replace github.com/hashicorp/terraform-provider-tls => github.com/hashicorp/terraform-provider-tls v1.2.1-0.20210201152640-49d7590ccf3f

replace github.com/terraform-providers/terraform-provider-random/randomshim => github.com/pulumi/pulumi-terraform-bridge/v3/pkg/pf/tests/internal/randomshim v0.0.0-20241025174446-f865647b85ed

Clearly this is burdensome. For a real-world data point, this is the same strategy adopted by the k8s ecosystem and it has made dependency management with k8s notoriously painful.

We should not do this.

Option 2: Fork instead of abusing modules

tlsshim and randomshim are their own modules because they intentionally trick the compiler into exposing internal terraform packages. This internal import is only legal if your module is identified as github.com/terraform-providers/terraform-provider-random:

pulumi-terraform-bridge/pkg/pf/tests/internal/randomshim/shim.go

Lines 17 to 24 in 7dfbcd6

	import (
	tfpf "github.com/hashicorp/terraform-plugin-framework/provider"
	"github.com/terraform-providers/terraform-provider-random/internal/provider"
	)
	func NewProvider() tfpf.Provider {
	return provider.New()
	}

This is hacky but it matches the guidance we gives to users, and it is workable as long as the module consuming these shims doesn't have downstream consumers of its own. This is the case with most providers, but tfbridge is different because it is meant to be consumed as a library.

A more typical remedy for consuming private types is to fork the dependency and expose what you need. We could fork these two repositories under the pulumi org, but new repos come with their own overhead.

Instead, I opted to simply check-in the upstream random and tls providers. I preserved the commits we were previously pinned to (c6e90de46687 and afdd54107aba, respectively) so licensing is unaffected.

This way our go.mod will reflect a dependency on a public module that is still consumable downstream (e.g. terraform-provider-random), and we will use forks that expose the internals when testing.

This PR implements Option 2.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 62.72%. Comparing base (f865647) to head (998b9cf).
Report is 6 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #2511      +/-   ##
==========================================
+ Coverage   62.70%   62.72%   +0.01%     
==========================================
  Files         381      382       +1     
  Lines       51514    51510       -4     
==========================================
+ Hits        32303    32308       +5     
+ Misses      17397    17389       -8     
+ Partials     1814     1813       -1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[t0yv0]

This is fine in my book. Also it might be possible to drop the tests that depend on these without meaningful loss of coverage. This was developed before we had a system going that qualifies bridge releases through checking if TLS and Random etc test will pass on these, and before we had any significant integration tests written against test providers. IN the long term specifically crafted test providers are the way. This is fine for now though AFAIK.

[t0yv0]

Will actual random provider build with this fine? It has its own dependency on this, and its own linker trick.

[blampe]

I don't think we need to change anything for the "real" random provider - it can continue to use the shim since it's not consumed as a library.

[iwahbe]

Let's take this change now, since we want a release that unbreaks users ASAP.

I agree with @t0yv0: We can stop relying on these tests soon without meaningful loss of coverage.

[guineveresaenger]

I would deeply love this change and I would also like a followup issue that tracks the consideration of removing the tests that depend on this code in favor of more modern testing options.

[blampe]

Created #2518 to track the followup.

[pulumi-bot]

This PR has been shipped in release v3.94.0.