cli: perform upgrades in-place in Terraform workspace (#2317)

* perform upgrades in-place in terraform workspace Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * update buildfiles Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * add iam upgrade apply test Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * update buildfiles Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * fix linter Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * make config fetcher stubbable Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * change workspace restoring behaviour Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * allow overwriting existing Terraform files Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * allow overwrites of TF variables Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * fix iam upgrade apply Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * fix embed directive Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * make loader test less brittle Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * pass upgrade ID to user Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * naming nit Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * use upgradeDir Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * tidy Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> --------- Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
2025-08-07 14:32:17 -04:00 · 2023-09-14 11:51:20 +02:00 · 2023-09-14 11:51:20 +02:00 · 95cf4bdf21
commit 95cf4bdf21
parent 9c54ff06e0
19 changed files with 410 additions and 286 deletions
--- a/cli/internal/cmd/BUILD.bazel
+++ b/cli/internal/cmd/BUILD.bazel
@ -115,6 +115,7 @@ go_test(
        "create_test.go",
        "iamcreate_test.go",
        "iamdestroy_test.go",
+        "iamupgradeapply_test.go",
        "init_test.go",
        "recover_test.go",
        "spinner_test.go",
--- a/cli/internal/cmd/iamupgradeapply.go
+++ b/cli/internal/cmd/iamupgradeapply.go
@ -48,8 +48,8 @@ func newIAMUpgradeApplyCmd() *cobra.Command {

 type iamUpgradeApplyCmd struct {
 	fileHandler   file.Handler
-	configFetcher attestationconfigapi.Fetcher
 	log           debugLog
+	configFetcher attestationconfigapi.Fetcher
 }

 func runIAMUpgradeApply(cmd *cobra.Command, _ []string) error {
@ -58,10 +58,9 @@ func runIAMUpgradeApply(cmd *cobra.Command, _ []string) error {
 		return fmt.Errorf("parsing force argument: %w", err)
 	}
 	fileHandler := file.NewHandler(afero.NewOsFs())
-	configFetcher := attestationconfigapi.NewFetcher()
-
 	upgradeID := generateUpgradeID(upgradeCmdKindIAM)
 	upgradeDir := filepath.Join(constants.UpgradeDir, upgradeID)
+	configFetcher := attestationconfigapi.NewFetcher()
 	iamMigrateCmd, err := cloudcmd.NewIAMUpgrader(
 		cmd.Context(),
 		constants.TerraformIAMWorkingDir,
@ -85,8 +84,8 @@ func runIAMUpgradeApply(cmd *cobra.Command, _ []string) error {

 	i := iamUpgradeApplyCmd{
 		fileHandler:   fileHandler,
-		configFetcher: configFetcher,
 		log:           log,
+		configFetcher: configFetcher,
 	}

 	return i.iamUpgradeApply(cmd, iamMigrateCmd, upgradeDir, force, yes)
@ -108,7 +107,7 @@ func (i iamUpgradeApplyCmd) iamUpgradeApply(cmd *cobra.Command, iamUpgrader iamU
 	}
 	hasDiff, err := iamUpgrader.PlanIAMUpgrade(cmd.Context(), cmd.OutOrStderr(), vars, conf.GetProvider())
 	if err != nil {
-		return err
+		return fmt.Errorf("planning terraform migrations: %w", err)
 	}
 	if !hasDiff && !force {
 		cmd.Println("No IAM migrations necessary.")
@ -124,9 +123,14 @@ func (i iamUpgradeApplyCmd) iamUpgradeApply(cmd *cobra.Command, iamUpgrader iamU
 		}
 		if !ok {
 			cmd.Println("Aborting upgrade.")
-			// Remove the upgrade directory
-			if err := i.fileHandler.RemoveAll(upgradeDir); err != nil {
-				return fmt.Errorf("cleaning up upgrade directory %s: %w", upgradeDir, err)
+			// User doesn't expect to see any changes in his workspace after aborting an "upgrade apply",
+			// therefore, roll back to the backed up state.
+			if err := iamUpgrader.RestoreIAMWorkspace(); err != nil {
+				return fmt.Errorf(
+					"restoring Terraform workspace: %w, restore the Terraform workspace manually from %s ",
+					err,
+					filepath.Join(upgradeDir, constants.TerraformIAMUpgradeBackupDir),
+				)
 			}
 			return errors.New("IAM upgrade aborted by user")
 		}
@ -144,4 +148,5 @@ func (i iamUpgradeApplyCmd) iamUpgradeApply(cmd *cobra.Command, iamUpgrader iamU
 type iamUpgrader interface {
 	PlanIAMUpgrade(ctx context.Context, outWriter io.Writer, vars terraform.Variables, csp cloudprovider.Provider) (bool, error)
 	ApplyIAMUpgrade(ctx context.Context, csp cloudprovider.Provider) error
+	RestoreIAMWorkspace() error
 }
--- a/cli/internal/cmd/iamupgradeapply_test.go
+++ b/cli/internal/cmd/iamupgradeapply_test.go
@ -0,0 +1,181 @@
+/*
+Copyright (c) Edgeless Systems GmbH
+SPDX-License-Identifier: AGPL-3.0-only
+*/
+
+package cmd
+
+import (
+	"context"
+	"io"
+	"path/filepath"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/edgelesssys/constellation/v2/cli/internal/terraform"
+	"github.com/edgelesssys/constellation/v2/internal/api/attestationconfigapi"
+	"github.com/edgelesssys/constellation/v2/internal/cloud/cloudprovider"
+	"github.com/edgelesssys/constellation/v2/internal/config"
+	"github.com/edgelesssys/constellation/v2/internal/constants"
+	"github.com/edgelesssys/constellation/v2/internal/file"
+	"github.com/edgelesssys/constellation/v2/internal/logger"
+	"github.com/spf13/afero"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestIamUpgradeApply(t *testing.T) {
+	setupFs := func(createConfig, createTerraformVars bool) file.Handler {
+		fs := afero.NewMemMapFs()
+		fh := file.NewHandler(fs)
+		if createConfig {
+			cfg := defaultConfigWithExpectedMeasurements(t, config.Default(), cloudprovider.Azure)
+			require.NoError(t, fh.WriteYAML(constants.ConfigFilename, cfg))
+		}
+		if createTerraformVars {
+			require.NoError(t, fh.Write(
+				filepath.Join(constants.TerraformIAMWorkingDir, "terraform.tfvars"),
+				[]byte(
+					"region = \"foo\"\n"+
+						"resource_group_name = \"bar\"\n"+
+						"service_principal_name = \"baz\"\n",
+				),
+			))
+		}
+		return fh
+	}
+
+	testCases := map[string]struct {
+		fh            file.Handler
+		iamUpgrader   *stubIamUpgrader
+		configFetcher *stubConfigFetcher
+		yesFlag       bool
+		input         string
+		wantErr       bool
+	}{
+		"success": {
+			fh:            setupFs(true, true),
+			configFetcher: &stubConfigFetcher{},
+			iamUpgrader:   &stubIamUpgrader{},
+		},
+		"abort": {
+			fh:            setupFs(true, true),
+			iamUpgrader:   &stubIamUpgrader{},
+			configFetcher: &stubConfigFetcher{},
+			input:         "no",
+			yesFlag:       true,
+		},
+		"config missing": {
+			fh:            setupFs(false, true),
+			iamUpgrader:   &stubIamUpgrader{},
+			configFetcher: &stubConfigFetcher{},
+			yesFlag:       true,
+			wantErr:       true,
+		},
+		"iam vars missing": {
+			fh:            setupFs(true, false),
+			iamUpgrader:   &stubIamUpgrader{},
+			configFetcher: &stubConfigFetcher{},
+			yesFlag:       true,
+			wantErr:       true,
+		},
+		"plan error": {
+			fh: setupFs(true, true),
+			iamUpgrader: &stubIamUpgrader{
+				planErr: assert.AnError,
+			},
+			configFetcher: &stubConfigFetcher{},
+			yesFlag:       true,
+			wantErr:       true,
+		},
+		"apply error": {
+			fh: setupFs(true, true),
+			iamUpgrader: &stubIamUpgrader{
+				hasDiff:  true,
+				applyErr: assert.AnError,
+			},
+			configFetcher: &stubConfigFetcher{},
+			yesFlag:       true,
+			wantErr:       true,
+		},
+		"restore error": {
+			fh: setupFs(true, true),
+			iamUpgrader: &stubIamUpgrader{
+				hasDiff:     true,
+				rollbackErr: assert.AnError,
+			},
+			configFetcher: &stubConfigFetcher{},
+			input:         "no\n",
+			wantErr:       true,
+		},
+		"config fetcher err": {
+			fh: setupFs(true, true),
+			iamUpgrader: &stubIamUpgrader{
+				rollbackErr: assert.AnError,
+			},
+			configFetcher: &stubConfigFetcher{
+				fetchLatestErr: assert.AnError,
+			},
+			yesFlag: true,
+			wantErr: true,
+		},
+	}
+
+	for name, tc := range testCases {
+		t.Run(name, func(t *testing.T) {
+			assert := assert.New(t)
+
+			cmd := newIAMUpgradeApplyCmd()
+			cmd.SetIn(strings.NewReader(tc.input))
+
+			iamUpgradeApplyCmd := &iamUpgradeApplyCmd{
+				fileHandler:   tc.fh,
+				log:           logger.NewTest(t),
+				configFetcher: tc.configFetcher,
+			}
+
+			err := iamUpgradeApplyCmd.iamUpgradeApply(cmd, tc.iamUpgrader, "", false, tc.yesFlag)
+			if tc.wantErr {
+				assert.Error(err)
+			} else {
+				assert.NoError(err)
+			}
+		})
+	}
+}
+
+type stubIamUpgrader struct {
+	hasDiff     bool
+	planErr     error
+	applyErr    error
+	rollbackErr error
+}
+
+func (u *stubIamUpgrader) PlanIAMUpgrade(context.Context, io.Writer, terraform.Variables, cloudprovider.Provider) (bool, error) {
+	return u.hasDiff, u.planErr
+}
+
+func (u *stubIamUpgrader) ApplyIAMUpgrade(context.Context, cloudprovider.Provider) error {
+	return u.applyErr
+}
+
+func (u *stubIamUpgrader) RestoreIAMWorkspace() error {
+	return u.rollbackErr
+}
+
+type stubConfigFetcher struct {
+	fetchLatestErr error
+}
+
+func (s *stubConfigFetcher) FetchAzureSEVSNPVersion(context.Context, attestationconfigapi.AzureSEVSNPVersionAPI) (attestationconfigapi.AzureSEVSNPVersionAPI, error) {
+	panic("not implemented")
+}
+
+func (s *stubConfigFetcher) FetchAzureSEVSNPVersionList(context.Context, attestationconfigapi.AzureSEVSNPVersionList) (attestationconfigapi.AzureSEVSNPVersionList, error) {
+	panic("not implemented")
+}
+
+func (s *stubConfigFetcher) FetchAzureSEVSNPVersionLatest(context.Context, time.Time) (attestationconfigapi.AzureSEVSNPVersionAPI, error) {
+	return attestationconfigapi.AzureSEVSNPVersionAPI{}, s.fetchLatestErr
+}
--- a/cli/internal/cmd/upgradeapply.go
+++ b/cli/internal/cmd/upgradeapply.go
@ -301,9 +301,14 @@ func (u *upgradeApplyCmd) migrateTerraform(cmd *cobra.Command, conf *config.Conf
 			}
 			if !ok {
 				cmd.Println("Aborting upgrade.")
-				// Remove the upgrade directory
-				if err := u.fileHandler.RemoveAll(upgradeDir); err != nil {
-					return res, fmt.Errorf("cleaning up upgrade directory %s: %w", upgradeDir, err)
+				// User doesn't expect to see any changes in his workspace after aborting an "upgrade apply",
+				// therefore, roll back to the backed up state.
+				if err := u.clusterUpgrader.RestoreClusterWorkspace(); err != nil {
+					return res, fmt.Errorf(
+						"restoring Terraform workspace: %w, restore the Terraform workspace manually from %s ",
+						err,
+						filepath.Join(upgradeDir, constants.TerraformUpgradeBackupDir),
+					)
 				}
 				return res, fmt.Errorf("cluster upgrade aborted by user")
 			}
@ -636,4 +641,5 @@ type kubernetesUpgrader interface {
 type clusterUpgrader interface {
 	PlanClusterUpgrade(ctx context.Context, outWriter io.Writer, vars terraform.Variables, csp cloudprovider.Provider) (bool, error)
 	ApplyClusterUpgrade(ctx context.Context, csp cloudprovider.Provider) (terraform.ApplyOutput, error)
+	RestoreClusterWorkspace() error
 }
--- a/cli/internal/cmd/upgradeapply_test.go
+++ b/cli/internal/cmd/upgradeapply_test.go
@ -83,6 +83,15 @@ func TestUpgradeApply(t *testing.T) {
 			wantErr:           true,
 			stdin:             "no\n",
 		},
+		"abort, restore terraform err": {
+			kubeUpgrader: &stubKubernetesUpgrader{
+				currentConfig: config.DefaultForAzureSEVSNP(),
+			},
+			helmUpgrader:      stubApplier{},
+			terraformUpgrader: &stubTerraformUpgrader{terraformDiff: true, rollbackWorkspaceErr: assert.AnError},
+			wantErr:           true,
+			stdin:             "no\n",
+		},
 		"plan terraform error": {
 			kubeUpgrader: &stubKubernetesUpgrader{
 				currentConfig: config.DefaultForAzureSEVSNP(),
@ -220,9 +229,10 @@ func (u *stubKubernetesUpgrader) RemoveHelmKeepAnnotation(_ context.Context) err
 }

 type stubTerraformUpgrader struct {
-	terraformDiff     bool
-	planTerraformErr  error
-	applyTerraformErr error
+	terraformDiff        bool
+	planTerraformErr     error
+	applyTerraformErr    error
+	rollbackWorkspaceErr error
 }

 func (u stubTerraformUpgrader) PlanClusterUpgrade(_ context.Context, _ io.Writer, _ terraform.Variables, _ cloudprovider.Provider) (bool, error) {
@ -233,6 +243,10 @@ func (u stubTerraformUpgrader) ApplyClusterUpgrade(_ context.Context, _ cloudpro
 	return terraform.ApplyOutput{}, u.applyTerraformErr
 }

+func (u stubTerraformUpgrader) RestoreClusterWorkspace() error {
+	return u.rollbackWorkspaceErr
+}
+
 type mockTerraformUpgrader struct {
 	mock.Mock
 }
@ -247,6 +261,11 @@ func (m *mockTerraformUpgrader) ApplyClusterUpgrade(ctx context.Context, provide
 	return args.Get(0).(terraform.ApplyOutput), args.Error(1)
 }

+func (m *mockTerraformUpgrader) RestoreClusterWorkspace() error {
+	args := m.Called()
+	return args.Error(0)
+}
+
 type mockApplier struct {
 	mock.Mock
 }
--- a/cli/internal/cmd/upgradecheck.go
+++ b/cli/internal/cmd/upgradecheck.go
@ -108,12 +108,13 @@ func runUpgradeCheck(cmd *cobra.Command, _ []string) error {
 			log:            log,
 			versionsapi:    versionfetcher,
 		},
+		upgradeDir:       upgradeDir,
 		terraformChecker: tfClient,
 		fileHandler:      fileHandler,
 		log:              log,
 	}

-	return up.upgradeCheck(cmd, attestationconfigapi.NewFetcher(), upgradeDir, flags)
+	return up.upgradeCheck(cmd, attestationconfigapi.NewFetcher(), flags)
 }

 func parseUpgradeCheckFlags(cmd *cobra.Command) (upgradeCheckFlags, error) {
@ -154,6 +155,7 @@ func parseUpgradeCheckFlags(cmd *cobra.Command) (upgradeCheckFlags, error) {

 type upgradeCheckCmd struct {
 	canUpgradeCheck  bool
+	upgradeDir       string
 	collect          collector
 	terraformChecker terraformChecker
 	fileHandler      file.Handler
@ -161,7 +163,7 @@ type upgradeCheckCmd struct {
 }

 // upgradePlan plans an upgrade of a Constellation cluster.
-func (u *upgradeCheckCmd) upgradeCheck(cmd *cobra.Command, fetcher attestationconfigapi.Fetcher, upgradeDir string, flags upgradeCheckFlags) error {
+func (u *upgradeCheckCmd) upgradeCheck(cmd *cobra.Command, fetcher attestationconfigapi.Fetcher, flags upgradeCheckFlags) error {
 	conf, err := config.New(u.fileHandler, constants.ConfigFilename, fetcher, flags.force)
 	var configValidationErr *config.ValidationError
 	if errors.As(err, &configValidationErr) {
@ -235,9 +237,14 @@ func (u *upgradeCheckCmd) upgradeCheck(cmd *cobra.Command, fetcher attestationco
 		return fmt.Errorf("planning terraform migrations: %w", err)
 	}
 	defer func() {
-		// Remove the upgrade directory
-		if err := u.fileHandler.RemoveAll(upgradeDir); err != nil {
-			u.log.Debugf("Failed to clean up Terraform migrations: %s", err)
+		// User doesn't expect to see any changes in his workspace after an "upgrade plan",
+		// therefore, roll back to the backed up state.
+		if err := u.terraformChecker.RestoreClusterWorkspace(); err != nil {
+			cmd.PrintErrf(
+				"restoring Terraform workspace: %s, restore the Terraform workspace manually from %s ",
+				err,
+				filepath.Join(u.upgradeDir, constants.TerraformUpgradeBackupDir),
+			)
 		}
 	}()

@ -728,6 +735,7 @@ type kubernetesChecker interface {

 type terraformChecker interface {
 	PlanClusterUpgrade(ctx context.Context, outWriter io.Writer, vars terraform.Variables, csp cloudprovider.Provider) (bool, error)
+	RestoreClusterWorkspace() error
 }

 type versionListFetcher interface {
--- a/cli/internal/cmd/upgradecheck_test.go
+++ b/cli/internal/cmd/upgradecheck_test.go
@ -24,7 +24,6 @@ import (
 	"github.com/edgelesssys/constellation/v2/internal/constants"
 	"github.com/edgelesssys/constellation/v2/internal/file"
 	"github.com/edgelesssys/constellation/v2/internal/logger"
-	"github.com/edgelesssys/constellation/v2/internal/semver"
 	consemver "github.com/edgelesssys/constellation/v2/internal/semver"
 	"github.com/spf13/afero"
 	"github.com/stretchr/testify/assert"
@ -47,8 +46,8 @@ func TestBuildString(t *testing.T) {
 				newKubernetes:     []string{"v1.24.12", "v1.25.6"},
 				newCLI:            []consemver.Semver{consemver.NewFromInt(2, 5, 0, ""), consemver.NewFromInt(2, 6, 0, "")},
 				currentServices:   consemver.NewFromInt(2, 4, 0, ""),
-				currentImage:      semver.NewFromInt(2, 4, 0, ""),
-				currentKubernetes: semver.NewFromInt(1, 24, 5, ""),
+				currentImage:      consemver.NewFromInt(2, 4, 0, ""),
+				currentKubernetes: consemver.NewFromInt(1, 24, 5, ""),
 				currentCLI:        consemver.NewFromInt(2, 4, 0, ""),
 			},
 			expected: "The following updates are available with this CLI:\n  Kubernetes: v1.24.5 --> v1.24.12 v1.25.6\n  Images:\n    v2.4.0 --> v2.5.0\n      Includes these measurements:\n      4:\n          expected: \"1234123412341234123412341234123412341234123412341234123412341234\"\n          warnOnly: false\n      8:\n          expected: \"0000000000000000000000000000000000000000000000000000000000000000\"\n          warnOnly: false\n      9:\n          expected: \"1234123412341234123412341234123412341234123412341234123412341234\"\n          warnOnly: false\n      11:\n          expected: \"0000000000000000000000000000000000000000000000000000000000000000\"\n          warnOnly: false\n      12:\n          expected: \"1234123412341234123412341234123412341234123412341234123412341234\"\n          warnOnly: false\n      13:\n          expected: \"0000000000000000000000000000000000000000000000000000000000000000\"\n          warnOnly: false\n      15:\n          expected: \"0000000000000000000000000000000000000000000000000000000000000000\"\n          warnOnly: false\n      \n  Services: v2.4.0 --> v2.5.0\n",
@ -70,7 +69,7 @@ func TestBuildString(t *testing.T) {
 		"k8s only": {
 			upgrade: versionUpgrade{
 				newKubernetes:     []string{"v1.24.12", "v1.25.6"},
-				currentKubernetes: semver.NewFromInt(1, 24, 5, ""),
+				currentKubernetes: consemver.NewFromInt(1, 24, 5, ""),
 			},
 			expected: "The following updates are available with this CLI:\n  Kubernetes: v1.24.5 --> v1.24.12 v1.25.6\n",
 		},
@ -81,8 +80,8 @@ func TestBuildString(t *testing.T) {
 				newKubernetes:     []string{},
 				newCLI:            []consemver.Semver{},
 				currentServices:   consemver.NewFromInt(2, 5, 0, ""),
-				currentImage:      semver.NewFromInt(2, 5, 0, ""),
-				currentKubernetes: semver.NewFromInt(1, 25, 6, ""),
+				currentImage:      consemver.NewFromInt(2, 5, 0, ""),
+				currentKubernetes: consemver.NewFromInt(1, 25, 6, ""),
 				currentCLI:        consemver.NewFromInt(2, 5, 0, ""),
 			},
 			expected: "You are up to date.\n",
@ -165,8 +164,8 @@ func TestUpgradeCheck(t *testing.T) {
 		},
 		supportedK8sVersions:    []string{"v1.24.5", "v1.24.12", "v1.25.6"},
 		currentServicesVersions: consemver.NewFromInt(2, 4, 0, ""),
-		currentImageVersion:     semver.NewFromInt(2, 4, 0, ""),
-		currentK8sVersion:       semver.NewFromInt(1, 24, 5, ""),
+		currentImageVersion:     consemver.NewFromInt(2, 4, 0, ""),
+		currentK8sVersion:       consemver.NewFromInt(1, 24, 5, ""),
 		currentCLIVersion:       consemver.NewFromInt(2, 4, 0, ""),
 		images:                  []versionsapi.Version{v2_5},
 		newCLIVersionsList:      []consemver.Semver{consemver.NewFromInt(2, 5, 0, ""), consemver.NewFromInt(2, 6, 0, "")},
@ -185,15 +184,23 @@ func TestUpgradeCheck(t *testing.T) {
 			csp:        cloudprovider.GCP,
 			cliVersion: "v1.0.0",
 		},
-		"terraform err": {
+		"terraform plan err": {
 			collector: collector,
 			checker: stubTerraformChecker{
-				err: assert.AnError,
+				planErr: assert.AnError,
 			},
 			csp:        cloudprovider.GCP,
 			cliVersion: "v1.0.0",
 			wantError:  true,
 		},
+		"terraform rollback err, log only": {
+			collector: collector,
+			checker: stubTerraformChecker{
+				rollbackErr: assert.AnError,
+			},
+			csp:        cloudprovider.GCP,
+			cliVersion: "v1.0.0",
+		},
 	}

 	for name, tc := range testCases {
@ -214,7 +221,7 @@ func TestUpgradeCheck(t *testing.T) {

 			cmd := newUpgradeCheckCmd()

-			err := checkCmd.upgradeCheck(cmd, stubAttestationFetcher{}, "test", upgradeCheckFlags{})
+			err := checkCmd.upgradeCheck(cmd, stubAttestationFetcher{}, upgradeCheckFlags{})
 			if tc.wantError {
 				assert.Error(err)
 				return
@ -279,12 +286,17 @@ func (s *stubVersionCollector) filterCompatibleCLIVersions(_ context.Context, _
 }

 type stubTerraformChecker struct {
-	tfDiff bool
-	err    error
+	tfDiff      bool
+	planErr     error
+	rollbackErr error
 }

 func (s stubTerraformChecker) PlanClusterUpgrade(_ context.Context, _ io.Writer, _ terraform.Variables, _ cloudprovider.Provider) (bool, error) {
-	return s.tfDiff, s.err
+	return s.tfDiff, s.planErr
+}
+
+func (s stubTerraformChecker) RestoreClusterWorkspace() error {
+	return s.rollbackErr
 }

 func TestNewCLIVersions(t *testing.T) {
@ -374,7 +386,7 @@ func TestFilterCompatibleCLIVersions(t *testing.T) {
 		t.Run(name, func(t *testing.T) {
 			require := require.New(t)

-			_, err := tc.verCollector.filterCompatibleCLIVersions(context.Background(), tc.cliPatchVersions, semver.NewFromInt(1, 24, 5, ""))
+			_, err := tc.verCollector.filterCompatibleCLIVersions(context.Background(), tc.cliPatchVersions, consemver.NewFromInt(1, 24, 5, ""))
 			if tc.wantErr {
 				require.Error(err)
 				return