Should we use a mutex/atomic here?

I don't think the builder is meant to be safe for concurrent use.
Maybe good for a follow-up though, as it could trip someone else up in future.

Yea, we do this pattern everywhere. It's all single threaded

Suggestion: NewExternalEchoProvisionerDaemon?

I can rename in a follow-up! It would be a big diff :D

Yea, I think I wrote the original name. I don't think I even considered expected non-echo type in tests 😄

Yea, I think I wrote the original name. I don't think I even considered expected non-echo type in tests 😄

So this runs real terraform? Does this mean tests can accidentally provision resources?

Yeah, that's the tricky thing if you're not careful. There's no other real way to test this apart from spinning up a Docker container or manual testing, and we really need some kind of integration test here.

Woah, he did it 🤯

This is a super nice test. Slightly concerned with terraform being executed in tests, would be nice if we could lock it down somehow to prevent it allocating any resources.

I could add a hacky check for the pattern resource "[^"]+" "[^"]+" and fail. That would at least make folks think twice before hacking it further to allow certain resources.

EDIT: Actually I'm not even sure I could do that right now due to how provisionerd works. Needs some more thinking. For now... ruleguard? 🤷

I don't think ruleguard would be sufficient. I wonder if we can do something to the executable. Run it another userspace with no perms? Configure a HTTP_PROXY that is broken so any external requests fail? I'm not sure 🤷‍♂️

I'm ok if we let this slide for now, since I don't know a good way. Just an unfortunate consequence.

Yeah I think we may need to think about the best way to prevent misuse of this.