add terraform_json_syntax rule (#297)

bendrucker · web-flow · commit c646c32503dd · 2025-10-17T16:00:32.000-07:00
diff --git a/docs/rules/README.md b/docs/rules/README.md
@@ -13,6 +13,7 @@ All rules are enabled by default, but by setting `preset = "recommended"`, you c
 |[terraform_documented_outputs](terraform_documented_outputs.md)|Disallow `output` declarations without description||
 |[terraform_documented_variables](terraform_documented_variables.md)|Disallow `variable` declarations without description||
 |[terraform_empty_list_equality](terraform_empty_list_equality.md)|Disallow comparisons with `[]` when checking if a collection is empty|✔|
+|[terraform_json_syntax](terraform_json_syntax.md)|Enforce the official Terraform JSON syntax that uses a root object|✔|
 |[terraform_map_duplicate_keys](terraform_map_duplicate_keys.md)|Disallow duplicate keys in a map object|✔|
 |[terraform_module_pinned_source](terraform_module_pinned_source.md)|Disallow specifying a git or mercurial repository as a module source without pinning to a version|✔|
 |[terraform_module_shallow_clone](terraform_module_shallow_clone.md)|Require pinned Git-hosted Terraform modules to use shallow cloning||
diff --git a/docs/rules/terraform_json_syntax.md b/docs/rules/terraform_json_syntax.md
@@ -0,0 +1,61 @@
+# terraform_json_syntax
+
+Enforce the official Terraform JSON syntax that uses a root object with keys for each block type.
+
+## Example
+
+```json
+[{"resource": {"aws_instance": {"example": {"ami": "ami-12345678"}}}}]
+```
+
+```
+$ tflint
+1 issue(s) found:
+
+Warning: JSON configuration uses array syntax at root, expected object (terraform_json_syntax)
+
+  on main.tf.json line 1:
+   1: [{"resource": {"aws_instance": {"example": {"ami": "ami-12345678"}}}}]
+
+Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.1.0/docs/rules/terraform_json_syntax.md
+```
+
+## Why
+
+The [Terraform JSON syntax documentation](https://developer.hashicorp.com/terraform/language/syntax/json#json-file-structure) states:
+
+> At the root of any JSON-based Terraform configuration is a JSON object. The properties of this object correspond to the top-level block types of the Terraform language.
+
+While Terraform's underlying HCL parser supports flattening arrays, the documented and supported standard is to use a root object with top-level keys for Terraform's block types: `resource`, `variable`, `output`, etc. Using the official syntax ensures compatibility with third party tools that implement the documented standard.
+
+## How To Fix
+
+Convert your array-based JSON configuration to use a root object. Instead of wrapping configuration in an array, use an object with appropriate top-level keys.
+
+### Before
+
+```json
+[
+  {"resource": {"aws_instance": {"example": {"ami": "ami-12345678"}}}},
+  {"variable": {"region": {"type": "string"}}}
+]
+```
+
+### After
+
+```json
+{
+  "resource": {
+    "aws_instance": {
+      "example": {
+        "ami": "ami-12345678"
+      }
+    }
+  },
+  "variable": {
+    "region": {
+      "type": "string"
+    }
+  }
+}
+```
diff --git a/rules/preset.go b/rules/preset.go
@@ -11,6 +11,7 @@ var PresetRules = map[string][]tflint.Rule{
 		NewTerraformDocumentedOutputsRule(),
 		NewTerraformDocumentedVariablesRule(),
 		NewTerraformEmptyListEqualityRule(),
+		NewTerraformJSONSyntaxRule(),
 		NewTerraformMapDuplicateKeysRule(),
 		NewTerraformModulePinnedSourceRule(),
 		NewTerraformModuleShallowCloneRule(),
@@ -29,6 +30,7 @@ var PresetRules = map[string][]tflint.Rule{
 		NewTerraformDeprecatedInterpolationRule(),
 		NewTerraformDeprecatedLookupRule(),
 		NewTerraformEmptyListEqualityRule(),
+		NewTerraformJSONSyntaxRule(),
 		NewTerraformMapDuplicateKeysRule(),
 		NewTerraformModulePinnedSourceRule(),
 		NewTerraformModuleVersionRule(),
diff --git a/rules/terraform_json_syntax.go b/rules/terraform_json_syntax.go
@@ -0,0 +1,223 @@
+package rules
+
+import (
+	stdjson "encoding/json"
+	"strings"
+
+	"github.com/hashicorp/hcl/v2"
+	"github.com/hashicorp/hcl/v2/json"
+	"github.com/terraform-linters/tflint-plugin-sdk/tflint"
+	"github.com/terraform-linters/tflint-ruleset-terraform/project"
+)
+
+// deepMerge recursively merges src into dst
+func deepMerge(dst, src map[string]any) {
+	for key, srcVal := range src {
+		if dstVal, exists := dst[key]; exists {
+			// If both are maps, merge recursively
+			srcMap, srcIsMap := srcVal.(map[string]any)
+			dstMap, dstIsMap := dstVal.(map[string]any)
+			if srcIsMap && dstIsMap {
+				deepMerge(dstMap, srcMap)
+				continue
+			}
+		}
+		// Otherwise, src overwrites dst
+		dst[key] = srcVal
+	}
+}
+
+// canMergeValues checks if values can be safely merged without data loss.
+// Values can be merged if they are all maps and any overlapping keys can also be merged recursively.
+func canMergeValues(values []any) bool {
+	if len(values) == 0 {
+		return false
+	}
+
+	// All values must be maps
+	maps := make([]map[string]any, 0, len(values))
+	for _, val := range values {
+		m, ok := val.(map[string]any)
+		if !ok {
+			return false
+		}
+		maps = append(maps, m)
+	}
+
+	// Collect all values by key across all maps
+	keyValues := make(map[string][]any)
+	for _, m := range maps {
+		for key, val := range m {
+			keyValues[key] = append(keyValues[key], val)
+		}
+	}
+
+	// Check each key's values
+	for _, vals := range keyValues {
+		if len(vals) == 1 {
+			continue // Single value, no conflict
+		}
+
+		// Multiple values for this key - check if they're all maps
+		allMaps := true
+		for _, v := range vals {
+			if _, ok := v.(map[string]any); !ok {
+				allMaps = false
+				break
+			}
+		}
+
+		if !allMaps {
+			return false // Can't merge non-map values
+		}
+
+		// Recursively check if these nested maps can be merged
+		if !canMergeValues(vals) {
+			return false
+		}
+	}
+
+	return true
+}
+
+// TerraformJSONSyntaxRule checks whether JSON configuration uses the official syntax
+type TerraformJSONSyntaxRule struct {
+	tflint.DefaultRule
+}
+
+// NewTerraformJSONSyntaxRule returns a new rule
+func NewTerraformJSONSyntaxRule() *TerraformJSONSyntaxRule {
+	return &TerraformJSONSyntaxRule{}
+}
+
+// Name returns the rule name
+func (r *TerraformJSONSyntaxRule) Name() string {
+	return "terraform_json_syntax"
+}
+
+// Enabled returns whether the rule is enabled by default
+func (r *TerraformJSONSyntaxRule) Enabled() bool {
+	return true
+}
+
+// Severity returns the rule severity
+func (r *TerraformJSONSyntaxRule) Severity() tflint.Severity {
+	return tflint.WARNING
+}
+
+// Link returns the rule reference link
+func (r *TerraformJSONSyntaxRule) Link() string {
+	return project.ReferenceLink(r.Name())
+}
+
+// Check checks whether JSON configurations use object syntax at root
+func (r *TerraformJSONSyntaxRule) Check(runner tflint.Runner) error {
+	path, err := runner.GetModulePath()
+	if err != nil {
+		return err
+	}
+	if !path.IsRoot() {
+		// This rule does not evaluate child modules.
+		return nil
+	}
+
+	files, err := runner.GetFiles()
+	if err != nil {
+		return err
+	}
+	for name, file := range files {
+		if err := r.checkJSONSyntax(runner, name, file); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func (r *TerraformJSONSyntaxRule) checkJSONSyntax(runner tflint.Runner, filename string, file *hcl.File) error {
+	if !strings.HasSuffix(filename, ".tf.json") {
+		return nil
+	}
+
+	// Check if this is a JSON body
+	if !json.IsJSONBody(file.Body) {
+		return nil
+	}
+
+	// Unmarshal the file bytes to detect the root type
+	var root any
+	if err := stdjson.Unmarshal(file.Bytes, &root); err != nil {
+		// If we can't parse it, skip (HCL will report the error)
+		return nil
+	}
+
+	// Check if root is an array
+	if arr, isArray := root.([]any); isArray {
+		// Calculate the range covering the entire file
+		lines := strings.Count(string(file.Bytes), "\n") + 1
+		lastLineLen := len(strings.TrimRight(string(file.Bytes), "\n"))
+		if idx := strings.LastIndex(string(file.Bytes), "\n"); idx >= 0 {
+			lastLineLen = len(file.Bytes) - idx - 1
+		}
+
+		fileRange := hcl.Range{
+			Filename: filename,
+			Start:    hcl.Pos{Line: 1, Column: 1, Byte: 0},
+			End:      hcl.Pos{Line: lines, Column: lastLineLen + 1, Byte: len(file.Bytes)},
+		}
+
+		if err := runner.EmitIssueWithFix(
+			r,
+			"JSON configuration uses array syntax at root, expected object",
+			file.Body.MissingItemRange(),
+			func(f tflint.Fixer) error {
+				// First pass: collect all values by key
+				keyValues := make(map[string][]any)
+				for _, item := range arr {
+					if obj, ok := item.(map[string]any); ok {
+						for key, val := range obj {
+							keyValues[key] = append(keyValues[key], val)
+						}
+					}
+				}
+
+				// Second pass: decide whether to merge or collect into array
+				merged := make(map[string]any)
+				for key, values := range keyValues {
+					if len(values) == 1 {
+						// Single value, just use it
+						merged[key] = values[0]
+					} else if canMergeValues(values) {
+						// Values can be merged without conflicts
+						result := make(map[string]any)
+						for _, val := range values {
+							if valMap, ok := val.(map[string]any); ok {
+								deepMerge(result, valMap)
+							}
+						}
+						merged[key] = result
+					} else {
+						// Values conflict, collect into array
+						merged[key] = values
+					}
+				}
+
+				// Marshal back to JSON with indentation
+				fixed, err := stdjson.MarshalIndent(merged, "", "  ")
+				if err != nil {
+					return err
+				}
+
+				// Add trailing newline
+				fixedStr := string(fixed) + "\n"
+
+				// Replace entire file content
+				return f.ReplaceText(fileRange, fixedStr)
+			},
+		); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
diff --git a/rules/terraform_json_syntax_test.go b/rules/terraform_json_syntax_test.go
