Validations should only be run during non-destroy operations

[cam72cam]

This fixes an issue I originally introduced in #2216. The original PR and this PR try to modify the graph transformation process as little as possible due to it's complexity.

Unfortunately, I introduced a path in #2216 for apply that does not apply to destroy operations. In both apply and destroy, we aggressively prune the graph to minimize what actually needs to be evaluated in order to make the necessary changes. This work is done in the pruneUnusedNodesTransformer and relies upon some very specific interface implementation and dense logic.

For #2216, I needed to ensure that variable blocks that have validations are not pruned out from the graph between plan -> apply. I introduced an interface implementation that allows the node to say "Hey! I still need to exist! Don't prune me!". That worked reasonably well for the standard apply scenario, and I added a test to confirm.

However, I did not fully understand the implications for destroy. During a destroy action, the variables should be pruned from the graph and the check not run, as the data it's targeting won't exist (the reason for the check/validation). When it is not pruned, it keeps "configuration" nodes within the apply graph which do not function correctly during destroy operations.

This is not an ideal solution, but it has a very small likelihood of breaking existing workflows. As evidenced by the complexity described above, this is a very tricky thing to modify correctly, and the smaller the change we can make, the better. Longer term, I hope that something that comes out of #3078 will allow us to simplify this whole process.

I still need to add a bespoke test case to context_apply2_test.go and update the changelog

Resolves #3126

Checklist

• I have read the contribution guide.
• I have not used an AI coding assistant to create this PR.
• I have written all code in this PR myself OR I have marked all code I have not written myself (including modified code, e.g. copied from other places and then modified) with a comment indicating where it came from.
• I (and other contributors to this PR) have not looked at the Terraform source code while implementing this PR.

Go checklist

• I have run golangci-lint on my change and receive no errors relevant to my code.
• I have run existing tests to ensure my code doesn't break anything.
• I have added tests for all relevant use cases of my code, and those tests are passing.
• I have only exported functions, variables and structs that should be used from other packages.
• I have added meaningful comments to all exported functions, variables, and structs.

Website/documentation checklist

• I have locally started the website as described here and checked my changes.

[github-actions]

Reminder for the PR assignee: If this is a user-visible change, please update the changelog as part of the PR.

[diofeher]

Thanks for the PR @cam72cam !

Could you please elaborate in two points?

1. Regarding your PR title: "Validations should only be run during non-destroy operations": Why validations shouldn't be run on destroy?

2. In the PR body: "This is not an ideal solution": Could you explain why?

I'm trying to understand if this is a temporary workaround or if a more robust solution is needed. If yes, what would be the challenges on it?

[yottta]

Could you please provide some comments (in code or in the PR description) regarding the thinking process about this? I would be curious what takes drove these changes.

[cam72cam]

@diofeher you are right, let me move this back to draft as I get that (and the checks) sorted 👍

[diofeher]

@cam72cam Now that I've seen your updated description at the PR, it makes sense!

cc @yottta

[Gogotchuri]

This looks good to me!

We have failing tests, which should be fixed before I can approve this.

[Yantrio]

This looks good to me, I think it may be nice to have a test for destroy transformers too though @cam72cam

[cam72cam]

@Yantrio given the complexity of interactions between components in the tofu package, the vast majority of functionality is tested via the context tests.