Add OTEL tracing to policy implementation

This introduces OTEL tracing to the policy implementation.
With this change Tracing spans are going to be picked up from whoever
invoked terraform, passed through the policy evaluation (and with the
callback server back from the policy evaluation).

Author: DanielMSchmidt

internal/backend/local/backend_apply.go

@@ -12,6 +12,8 @@ import (
 
 	"github.com/hashicorp/hcl/v2"
 	"github.com/zclconf/go-cty/cty"
+	"go.opentelemetry.io/otel/attribute"
+	"go.opentelemetry.io/otel/trace"
 
 	"github.com/hashicorp/terraform/internal/addrs"
 	"github.com/hashicorp/terraform/internal/backend/backendrun"
@@ -93,6 +95,7 @@ func (b *Local) opApply(
 
 	var plan *plans.Plan
 	combinedPlanApply := false
+	lr.Core.SetTracingContext(stopCtx)
 	// If we weren't given a plan, then we refresh/plan
 	if op.PlanFile == nil {
 		// set the policy client to nil for the plan preceding apply
@@ -445,7 +448,22 @@ func (b *Local) opApply(
 	diags = diags.Append(applyDiags)
 
 	// Print the policy results we found during apply
+	policyResultCount := 0
+	if plan.PolicyResults != nil {
+		policyResultCount = plan.PolicyResults.Len()
+	}
+	var polRenderSpan trace.Span
+	polRenderSpanEnd := func() {}
+	if policyResultCount > 0 {
+		_, polRenderSpan = tracer().Start(stopCtx, "terraform.local.apply.render_policy_results",
+			trace.WithAttributes(
+				attribute.Int("apply.policy_results", policyResultCount),
+			),
+		)
+		polRenderSpanEnd = func() { polRenderSpan.End() }
+	}
 	op.View.PolicyResults(plan.PolicyResults, nil)
+	polRenderSpanEnd()
 
 	// Even on error with an empty state, the state value should not be nil.
 	// Return early here to prevent corrupting any existing state.

internal/backend/local/backend_plan.go

@@ -9,6 +9,9 @@ import (
 	"io"
 	"log"
 
+	"go.opentelemetry.io/otel/attribute"
+	"go.opentelemetry.io/otel/trace"
+
 	"github.com/hashicorp/terraform/internal/backend/backendrun"
 	"github.com/hashicorp/terraform/internal/genconfig"
 	"github.com/hashicorp/terraform/internal/logging"
@@ -118,6 +121,7 @@ func (b *Local) opPlan(
 		defer logging.PanicHandler()
 		defer close(doneCh)
 		log.Printf("[INFO] backend/local: plan calling Plan")
+		lr.Core.SetTracingContext(stopCtx)
 		plan, planDiags = lr.Core.Plan(lr.Config, lr.InputState, lr.PlanOpts)
 	}()
 
@@ -223,7 +227,22 @@ func (b *Local) opPlan(
 	op.View.Plan(plan, schemas)
 
 	// Report all policy results that may have accumulated during the plan
+	policyResultCount := 0
+	if plan.PolicyResults != nil {
+		policyResultCount = plan.PolicyResults.Len()
+	}
+	var polRenderSpan trace.Span
+	polRenderSpanEnd := func() {}
+	if policyResultCount > 0 {
+		_, polRenderSpan = tracer().Start(stopCtx, "terraform.local.plan.render_policy_results",
+			trace.WithAttributes(
+				attribute.Int("plan.policy_results", policyResultCount),
+			),
+		)
+		polRenderSpanEnd = func() { polRenderSpan.End() }
+	}
 	op.View.PolicyResults(plan.PolicyResults, nil)
+	polRenderSpanEnd()
 
 	// If we've accumulated any diagnostics along the way then we'll show them
 	// here just before we show the summary and next steps. This can potentially

internal/backend/local/backend_refresh.go

@@ -91,6 +91,7 @@ func (b *Local) opRefresh(
 	go func() {
 		defer logging.PanicHandler()
 		defer close(doneCh)
+		lr.Core.SetTracingContext(stopCtx)
 		newState, refreshDiags = lr.Core.Refresh(lr.Config, lr.InputState, lr.PlanOpts)
 		log.Printf("[INFO] backend/local: refresh calling Refresh")
 	}()

internal/backend/local/telemetry.go

@@ -0,0 +1,18 @@
+// Copyright IBM Corp. 2014, 2026
+// SPDX-License-Identifier: BUSL-1.1
+
+package local
+
+import (
+	"go.opentelemetry.io/otel"
+	"go.opentelemetry.io/otel/trace"
+)
+
+// tracer returns the OpenTelemetry tracer for the local backend.
+//
+// Resolved lazily on every call so the global TracerProvider installed by
+// the CLI's openTelemetryInit (which runs after this package's init) is
+// reflected in the tracer used at runtime.
+func tracer() trace.Tracer {
+	return otel.Tracer("github.com/hashicorp/terraform/internal/backend/local")
+}

internal/command/apply.go

@@ -4,7 +4,6 @@
 package command
 
 import (
-	"context"
 	"fmt"
 	"strings"
 
@@ -105,7 +104,7 @@ func (c *ApplyCommand) Run(rawArgs []string) int {
 	}
 
 	if len(args.PolicyPaths) > 0 {
-		client, policyDiags, stopClient := c.PolicyClient(context.Background(), args.PolicyPaths)
+		client, policyDiags, stopClient := c.PolicyClient(c.CommandContext(), args.PolicyPaths)
 		// if there has been any errors when setting up the policy client, we log them but
 		// we still proceed with the operation, as a failure to set up the policy client
 		// should not prevent the apply operation from running

internal/command/meta.go

@@ -20,9 +20,10 @@ import (
 
 	"github.com/hashicorp/cli"
 	plugin "github.com/hashicorp/go-plugin"
-	"github.com/hashicorp/terraform-svchost/disco"
 	"github.com/mitchellh/colorstring"
 
+	"github.com/hashicorp/terraform-svchost/disco"
+
 	"github.com/hashicorp/terraform/internal/addrs"
 	"github.com/hashicorp/terraform/internal/backend"
 	"github.com/hashicorp/terraform/internal/backend/backendrun"
@@ -497,7 +498,7 @@ func (m *Meta) RunOperation(b backendrun.OperationsBackend, opReq *backendrun.Op
 		opReq.ConfigDir = m.normalizePath(opReq.ConfigDir)
 	}
 
-	op, err := b.Operation(context.Background(), opReq)
+	op, err := b.Operation(m.CommandContext(), opReq)
 	if err != nil {
 		return nil, fmt.Errorf("error starting operation: %s", err)
 	}

internal/command/plan.go

@@ -4,7 +4,6 @@
 package command
 
 import (
-	"context"
 	"fmt"
 	"strings"
 
@@ -89,7 +88,7 @@ func (c *PlanCommand) Run(rawArgs []string) int {
 	}
 
 	if len(args.PolicyPaths) > 0 {
-		client, policyDiags, stopClient := c.PolicyClient(context.Background(), args.PolicyPaths)
+		client, policyDiags, stopClient := c.PolicyClient(c.CommandContext(), args.PolicyPaths)
 		// if there has been any errors when setting up the policy client, we log them but
 		// we still proceed with the operation, as a failure to set up the policy client
 		// should not prevent the plan operation from running

internal/policy/callback/callback.go

@@ -4,15 +4,16 @@
 package callback
 
 import (
+	"context"
 	"sync"
 	"sync/atomic"
 
 	"github.com/zclconf/go-cty/cty"
 )
 
 type Functions struct {
-	GetResources  func(resource string, attrs cty.Value) ([]cty.Value, error)
-	GetDataSource func(datasource string, attrs cty.Value) (cty.Value, error)
+	GetResources  func(ctx context.Context, resource string, attrs cty.Value) ([]cty.Value, error)
+	GetDataSource func(ctx context.Context, datasource string, attrs cty.Value) (cty.Value, error)
 }
 
 // Registry is an interface for managing callback functions for resources and

internal/policy/callback/server.go

@@ -9,6 +9,10 @@ import (
 
 	"github.com/zclconf/go-cty/cty"
 	"github.com/zclconf/go-cty/cty/msgpack"
+	"go.opentelemetry.io/otel"
+	"go.opentelemetry.io/otel/attribute"
+	"go.opentelemetry.io/otel/codes"
+	"go.opentelemetry.io/otel/trace"
 	"google.golang.org/grpc"
 
 	"github.com/hashicorp/terraform/internal/policy/proto"
@@ -18,59 +22,104 @@ var (
 	_ proto.CallbackServiceServer = (*Server)(nil)
 )
 
+// tracer is resolved lazily so the global TracerProvider installed by
+// openTelemetryInit (which runs after package init) is reflected.
+func tracer() trace.Tracer {
+	return otel.Tracer("github.com/hashicorp/terraform/internal/policy/callback")
+}
+
 type Server struct {
 	ID       uint32
 	Registry Registry
 	Grpc     *grpc.Server
 	proto.UnimplementedCallbackServiceServer
 }
 
-func (s *Server) GetResources(_ context.Context, request *proto.GetResourcesRequest) (*proto.GetResourcesResponse, error) {
+func (s *Server) GetResources(ctx context.Context, request *proto.GetResourcesRequest) (*proto.GetResourcesResponse, error) {
+	ctx, span := tracer().Start(ctx, "policy.callback.server.get_resources",
+		trace.WithAttributes(
+			attribute.String("policy.callback.resource_type", request.Type),
+			attribute.Int64("policy.evaluation.id", int64(request.EvaluationRequestId)),
+		),
+	)
+	defer span.End()
+
 	attrs, err := msgpack.Unmarshal(request.Attributes, cty.DynamicPseudoType)
 	if err != nil {
-		return nil, fmt.Errorf("failed to unserialize attributes: %w", err)
+		err = fmt.Errorf("failed to unserialize attributes: %w", err)
+		span.RecordError(err)
+		span.SetStatus(codes.Error, err.Error())
+		return nil, err
 	}
 	functions, ok := s.Registry.Get(request.EvaluationRequestId)
 	if !ok {
-		return nil, fmt.Errorf("no callback registered for ID %d (request type: %s)", request.EvaluationRequestId, request.Type)
+		err := fmt.Errorf("no callback registered for ID %d (request type: %s)", request.EvaluationRequestId, request.Type)
+		span.RecordError(err)
+		span.SetStatus(codes.Error, err.Error())
+		return nil, err
 	}
-	resources, err := functions.GetResources(request.Type, attrs)
+	resources, err := functions.GetResources(ctx, request.Type, attrs)
 	if err != nil {
+		span.RecordError(err)
+		span.SetStatus(codes.Error, err.Error())
 		return nil, err
 	}
 
 	results := make([][]byte, 0, len(resources))
 	for _, resource := range resources {
 		result, err := msgpack.Marshal(resource, cty.DynamicPseudoType)
 		if err != nil {
-			return nil, fmt.Errorf("failed to serialize resource: %w", err)
+			err = fmt.Errorf("failed to serialize resource: %w", err)
+			span.RecordError(err)
+			span.SetStatus(codes.Error, err.Error())
+			return nil, err
 		}
 		results = append(results, result)
 	}
 
+	span.SetAttributes(attribute.Int("policy.callback.results.count", len(results)))
 	return &proto.GetResourcesResponse{
 		Results: results,
 	}, nil
 }
 
-func (s *Server) GetDataSource(_ context.Context, request *proto.GetDataSourceRequest) (*proto.GetDataSourceResponse, error) {
+func (s *Server) GetDataSource(ctx context.Context, request *proto.GetDataSourceRequest) (*proto.GetDataSourceResponse, error) {
+	ctx, span := tracer().Start(ctx, "policy.callback.server.get_datasource",
+		trace.WithAttributes(
+			attribute.String("policy.callback.datasource_type", request.Type),
+			attribute.Int64("policy.evaluation.id", int64(request.EvaluationRequestId)),
+		),
+	)
+	defer span.End()
+
 	config, err := msgpack.Unmarshal(request.Config, cty.DynamicPseudoType)
 	if err != nil {
-		return nil, fmt.Errorf("failed to unserialize config: %w", err)
+		err = fmt.Errorf("failed to unserialize config: %w", err)
+		span.RecordError(err)
+		span.SetStatus(codes.Error, err.Error())
+		return nil, err
 	}
 
 	functions, ok := s.Registry.Get(request.EvaluationRequestId)
 	if !ok {
-		return nil, fmt.Errorf("no callback registered for ID %d (request type: %s)", request.EvaluationRequestId, request.Type)
+		err := fmt.Errorf("no callback registered for ID %d (request type: %s)", request.EvaluationRequestId, request.Type)
+		span.RecordError(err)
+		span.SetStatus(codes.Error, err.Error())
+		return nil, err
 	}
-	datasource, err := functions.GetDataSource(request.Type, config)
+	datasource, err := functions.GetDataSource(ctx, request.Type, config)
 	if err != nil {
+		span.RecordError(err)
+		span.SetStatus(codes.Error, err.Error())
 		return nil, err
 	}
 
 	result, err := msgpack.Marshal(datasource, cty.DynamicPseudoType)
 	if err != nil {
-		return nil, fmt.Errorf("failed to serialize datasource: %w", err)
+		err = fmt.Errorf("failed to serialize datasource: %w", err)
+		span.RecordError(err)
+		span.SetStatus(codes.Error, err.Error())
+		return nil, err
 	}
 
 	return &proto.GetDataSourceResponse{