Summary
scripts/aio-version-checker.py silently fails to detect version drift for Terraform files and for the cert-manager extension. As a result, CI can pass while the codebase is pinned to AIO component versions that no longer match the upstream manifest. Two independent gaps were found while preparing the AIO 2606 (v1.3.137) upgrade.
Gap 1 — Terraform detection is broken (python-hcl2 list wrapping)
python-hcl2 (0.4.3, currently installed) wraps block bodies in a single-element list, so a variable's default parses as [{...}] rather than {...}. The extractors (extract_tf_variables, extract_tf_instance_variables) check isinstance(defaults, dict), which is now always False, so they return an empty list. The checker therefore reports zero Terraform mismatches regardless of actual drift.
Reproduction (before fix):
python3 scripts/aio-version-checker.py --release-tag v1.2.36 -t terraform
# -> [] (should report secret_sync_controller and operations_config mismatches)
Gap 2 — cert-manager drift is invisible (component moved to 109-arc-extensions)
cert-manager and container storage were moved out of 110-iot-ops into the 109-arc-extensions component, but the checker still points at the old location/names:
TERRAFORM_COMPONENTS maps cert_manager → but no such variable exists in 110-iot-ops anymore.
BICEP_COMPONENTS referenced aioCertManagerExtensionDefaults, which no longer exists (the 109 component uses certManagerExtensionDefaults).
- The checker never reads
109-arc-extensions/terraform/variables.tf or 109-arc-extensions/bicep/types.bicep.
Consequently the manifest bump certManager 0.12.0 → 0.13.3 was not flagged by the checker.
Impact
- CI (
aio-version-checker) can report a clean run while Terraform pins and the cert-manager version are stale.
- Version drift is caught only by manual inspection during upgrades.
Proposed fix
Acceptance criteria
python3 scripts/aio-version-checker.py --release-tag <current> returns [] when the codebase matches the manifest.
- Running against an older tag reports both Terraform and Bicep mismatches, including
cert_manager from 109-arc-extensions, each with the correct local_file.
- The mapping documentation notes how to add a new manifest key (
TERRAFORM_COMPONENTS, BICEP_COMPONENTS, BICEP_COMPONENT_FILES, dedicated extractor) so future extensions are covered.
Notes
- The
iotops-version-upgrade.prompt.md should reference the checker as a validation step and describe the component-to-manifest version map (delivered alongside this fix).
References
Summary
scripts/aio-version-checker.pysilently fails to detect version drift for Terraform files and for thecert-managerextension. As a result, CI can pass while the codebase is pinned to AIO component versions that no longer match the upstream manifest. Two independent gaps were found while preparing the AIO 2606 (v1.3.137) upgrade.Gap 1 — Terraform detection is broken (python-hcl2 list wrapping)
python-hcl2(0.4.3, currently installed) wraps block bodies in a single-element list, so a variable'sdefaultparses as[{...}]rather than{...}. The extractors (extract_tf_variables,extract_tf_instance_variables) checkisinstance(defaults, dict), which is now alwaysFalse, so they return an empty list. The checker therefore reports zero Terraform mismatches regardless of actual drift.Reproduction (before fix):
python3 scripts/aio-version-checker.py --release-tag v1.2.36 -t terraform # -> [] (should report secret_sync_controller and operations_config mismatches)Gap 2 — cert-manager drift is invisible (component moved to 109-arc-extensions)
cert-managerand container storage were moved out of110-iot-opsinto the109-arc-extensionscomponent, but the checker still points at the old location/names:TERRAFORM_COMPONENTSmapscert_manager→ but no such variable exists in110-iot-opsanymore.BICEP_COMPONENTSreferencedaioCertManagerExtensionDefaults, which no longer exists (the 109 component usescertManagerExtensionDefaults).109-arc-extensions/terraform/variables.tfor109-arc-extensions/bicep/types.bicep.Consequently the manifest bump
certManager 0.12.0 → 0.13.3was not flagged by the checker.Impact
aio-version-checker) can report a clean run while Terraform pins and the cert-manager version are stale.Proposed fix
defaultblocks in the Terraform extractors (add a small_unwrap_hclhelper) so Terraform detection works again.109-arc-extensionsfor both Terraform (arc_extensions.cert_manager_extension) and Bicep (certManagerExtensionDefaults), including aBICEP_COMPONENT_FILESmap for variables declared outside110-iot-ops.local_fileto each reported mismatch so CI output points at the right component.Acceptance criteria
python3 scripts/aio-version-checker.py --release-tag <current>returns[]when the codebase matches the manifest.cert_managerfrom109-arc-extensions, each with the correctlocal_file.TERRAFORM_COMPONENTS,BICEP_COMPONENTS,BICEP_COMPONENT_FILES, dedicated extractor) so future extensions are covered.Notes
iotops-version-upgrade.prompt.mdshould reference the checker as a validation step and describe the component-to-manifest version map (delivered alongside this fix).References