terraform: Add support for Terraform v1.2 syntax (#1403)

* Bump Terraform version to v1.2.1

* Fix build error due to remove DefaultVariableValues

terraform.DefaultVariableValues is removed in this commit:
hashicorp/terraform@36c4d4c

This removes the redundant code, but the implementation itself is not wrong,
so move it to the tflint package.

Author: wata727

terraform/addrs/module_source.go

@@ -46,18 +46,36 @@ var moduleSourceLocalPrefixes = []string{
 	"..\\",
 }
 
+// ParseModuleSource parses a module source address as given in the "source"
+// argument inside a "module" block in the configuration.
+//
+// For historical reasons this syntax is a bit overloaded, supporting three
+// different address types:
+//   - Local paths starting with either ./ or ../, which are special because
+//     Terraform considers them to belong to the same "package" as the caller.
+//   - Module registry addresses, given as either NAMESPACE/NAME/SYSTEM or
+//     HOST/NAMESPACE/NAME/SYSTEM, in which case the remote registry serves
+//     as an indirection over the third address type that follows.
+//   - Various URL-like and other heuristically-recognized strings which
+//     we currently delegate to the external library go-getter.
+//
+// There is some ambiguity between the module registry addresses and go-getter's
+// very liberal heuristics and so this particular function will typically treat
+// an invalid registry address as some other sort of remote source address
+// rather than returning an error. If you know that you're expecting a
+// registry address in particular, use ParseModuleSourceRegistry instead, which
+// can therefore expose more detailed error messages about registry address
+// parsing in particular.
 func ParseModuleSource(raw string) (ModuleSource, error) {
-	for _, prefix := range moduleSourceLocalPrefixes {
-		if strings.HasPrefix(raw, prefix) {
-			localAddr, err := parseModuleSourceLocal(raw)
-			if err != nil {
-				// This is to make sure we really return a nil ModuleSource in
-				// this case, rather than an interface containing the zero
-				// value of ModuleSourceLocal.
-				return nil, err
-			}
-			return localAddr, nil
+	if isModuleSourceLocal(raw) {
+		localAddr, err := parseModuleSourceLocal(raw)
+		if err != nil {
+			// This is to make sure we really return a nil ModuleSource in
+			// this case, rather than an interface containing the zero
+			// value of ModuleSourceLocal.
+			return nil, err
 		}
+		return localAddr, nil
 	}
 
 	// For historical reasons, whether an address is a registry
@@ -71,7 +89,7 @@ func ParseModuleSource(raw string) (ModuleSource, error) {
 	// the registry source parse error gets returned to the caller,
 	// which is annoying but has been true for many releases
 	// without it posing a serious problem in practice.)
-	if ret, err := parseModuleSourceRegistry(raw); err == nil {
+	if ret, err := ParseModuleSourceRegistry(raw); err == nil {
 		return ret, nil
 	}
 
@@ -150,6 +168,15 @@ func parseModuleSourceLocal(raw string) (ModuleSourceLocal, error) {
 	return ModuleSourceLocal(clean), nil
 }
 
+func isModuleSourceLocal(raw string) bool {
+	for _, prefix := range moduleSourceLocalPrefixes {
+		if strings.HasPrefix(raw, prefix) {
+			return true
+		}
+	}
+	return false
+}
+
 func (s ModuleSourceLocal) moduleSource() {}
 
 func (s ModuleSourceLocal) String() string {
@@ -195,6 +222,30 @@ const DefaultModuleRegistryHost = svchost.Hostname("registry.terraform.io")
 var moduleRegistryNamePattern = regexp.MustCompile("^[0-9A-Za-z](?:[0-9A-Za-z-_]{0,62}[0-9A-Za-z])?$")
 var moduleRegistryTargetSystemPattern = regexp.MustCompile("^[0-9a-z]{1,64}$")
 
+// ParseModuleSourceRegistry is a variant of ParseModuleSource which only
+// accepts module registry addresses, and will reject any other address type.
+//
+// Use this instead of ParseModuleSource if you know from some other surrounding
+// context that an address is intended to be a registry address rather than
+// some other address type, which will then allow for better error reporting
+// due to the additional information about user intent.
+func ParseModuleSourceRegistry(raw string) (ModuleSource, error) {
+	// Before we delegate to the "real" function we'll just make sure this
+	// doesn't look like a local source address, so we can return a better
+	// error message for that situation.
+	if isModuleSourceLocal(raw) {
+		return ModuleSourceRegistry{}, fmt.Errorf("can't use local directory %q as a module registry address", raw)
+	}
+
+	ret, err := parseModuleSourceRegistry(raw)
+	if err != nil {
+		// This is to make sure we return a nil ModuleSource, rather than
+		// a non-nil ModuleSource containing a zero-value ModuleSourceRegistry.
+		return nil, err
+	}
+	return ret, nil
+}
+
 func parseModuleSourceRegistry(raw string) (ModuleSourceRegistry, error) {
 	var err error
 
@@ -298,11 +349,10 @@ func parseModuleRegistryTargetSystem(given string) (string, error) {
 	// Similar to the names in provider source addresses, we defined these
 	// to be compatible with what filesystems and typical remote systems
 	// like GitHub allow in names. Unfortunately we didn't end up defining
-	// these exactly equivalently: provider names can only use dashes as
-	// punctuation, whereas module names can use underscores. So here we're
-	// using some regular expressions from the original module source
-	// implementation, rather than using the IDNA rules as we do in
-	// ParseProviderPart.
+	// these exactly equivalently: provider names can't use dashes or
+	// underscores. So here we're using some regular expressions from the
+	// original module source implementation, rather than using the IDNA rules
+	// as we do in ParseProviderPart.
 
 	if !moduleRegistryTargetSystemPattern.MatchString(given) {
 		return "", fmt.Errorf("must be between one and 64 ASCII letters or digits")

terraform/configs/check.go

@@ -0,0 +1,132 @@
+package configs
+
+import (
+	"fmt"
+
+	"github.com/hashicorp/hcl/v2"
+	"github.com/terraform-linters/tflint/terraform/addrs"
+	"github.com/terraform-linters/tflint/terraform/lang"
+)
+
+// CheckRule represents a configuration-defined validation rule, precondition,
+// or postcondition. Blocks of this sort can appear in a few different places
+// in configuration, including "validation" blocks for variables,
+// and "precondition" and "postcondition" blocks for resources.
+type CheckRule struct {
+	// Condition is an expression that must evaluate to true if the condition
+	// holds or false if it does not. If the expression produces an error then
+	// that's considered to be a bug in the module defining the check.
+	//
+	// The available variables in a condition expression vary depending on what
+	// a check is attached to. For example, validation rules attached to
+	// input variables can only refer to the variable that is being validated.
+	Condition hcl.Expression
+
+	// ErrorMessage should be one or more full sentences, which should be in
+	// English for consistency with the rest of the error message output but
+	// can in practice be in any language. The message should describe what is
+	// required for the condition to return true in a way that would make sense
+	// to a caller of the module.
+	//
+	// The error message expression has the same variables available for
+	// interpolation as the corresponding condition.
+	ErrorMessage hcl.Expression
+
+	DeclRange hcl.Range
+}
+
+// validateSelfReferences looks for references in the check rule matching the
+// specified resource address, returning error diagnostics if such a reference
+// is found.
+func (cr *CheckRule) validateSelfReferences(checkType string, addr addrs.Resource) hcl.Diagnostics {
+	var diags hcl.Diagnostics
+	refs, _ := lang.References(cr.Condition.Variables())
+	for _, ref := range refs {
+		var refAddr addrs.Resource
+
+		switch rs := ref.Subject.(type) {
+		case addrs.Resource:
+			refAddr = rs
+		case addrs.ResourceInstance:
+			refAddr = rs.Resource
+		default:
+			continue
+		}
+
+		if refAddr.Equal(addr) {
+			diags = diags.Append(&hcl.Diagnostic{
+				Severity: hcl.DiagError,
+				Summary:  fmt.Sprintf("Invalid reference in %s", checkType),
+				Detail:   fmt.Sprintf("Configuration for %s may not refer to itself.", addr.String()),
+				Subject:  cr.Condition.Range().Ptr(),
+			})
+			break
+		}
+	}
+	return diags
+}
+
+// decodeCheckRuleBlock decodes the contents of the given block as a check rule.
+//
+// Unlike most of our "decode..." functions, this one can be applied to blocks
+// of various types as long as their body structures are "check-shaped". The
+// function takes the containing block only because some error messages will
+// refer to its location, and the returned object's DeclRange will be the
+// block's header.
+func decodeCheckRuleBlock(block *hcl.Block, override bool) (*CheckRule, hcl.Diagnostics) {
+	var diags hcl.Diagnostics
+	cr := &CheckRule{
+		DeclRange: block.DefRange,
+	}
+
+	if override {
+		// For now we'll just forbid overriding check blocks, to simplify
+		// the initial design. If we can find a clear use-case for overriding
+		// checks in override files and there's a way to define it that
+		// isn't confusing then we could relax this.
+		diags = diags.Append(&hcl.Diagnostic{
+			Severity: hcl.DiagError,
+			Summary:  fmt.Sprintf("Can't override %s blocks", block.Type),
+			Detail:   fmt.Sprintf("Override files cannot override %q blocks.", block.Type),
+			Subject:  cr.DeclRange.Ptr(),
+		})
+		return cr, diags
+	}
+
+	content, moreDiags := block.Body.Content(checkRuleBlockSchema)
+	diags = append(diags, moreDiags...)
+
+	if attr, exists := content.Attributes["condition"]; exists {
+		cr.Condition = attr.Expr
+
+		if len(cr.Condition.Variables()) == 0 {
+			// A condition expression that doesn't refer to any variable is
+			// pointless, because its result would always be a constant.
+			diags = diags.Append(&hcl.Diagnostic{
+				Severity: hcl.DiagError,
+				Summary:  fmt.Sprintf("Invalid %s expression", block.Type),
+				Detail:   "The condition expression must refer to at least one object from elsewhere in the configuration, or else its result would not be checking anything.",
+				Subject:  cr.Condition.Range().Ptr(),
+			})
+		}
+	}
+
+	if attr, exists := content.Attributes["error_message"]; exists {
+		cr.ErrorMessage = attr.Expr
+	}
+
+	return cr, diags
+}
+
+var checkRuleBlockSchema = &hcl.BodySchema{
+	Attributes: []hcl.AttributeSchema{
+		{
+			Name:     "condition",
+			Required: true,
+		},
+		{
+			Name:     "error_message",
+			Required: true,
+		},
+	},
+}

terraform/configs/config_build.go

@@ -23,11 +23,15 @@ func BuildConfig(root *Module, walker ModuleWalker) (*Config, hcl.Diagnostics) {
 	cfg.Root = cfg // Root module is self-referential.
 	cfg.Children, diags = buildChildModules(cfg, walker)
 
-	// Now that the config is built, we can connect the provider names to all
-	// the known types for validation.
-	cfg.resolveProviderTypes()
+	// Skip provider resolution if there are any errors, since the provider
+	// configurations themselves may not be valid.
+	if !diags.HasErrors() {
+		// Now that the config is built, we can connect the provider names to all
+		// the known types for validation.
+		cfg.resolveProviderTypes()
+	}
 
-	diags = append(diags, validateProviderConfigs(nil, cfg, false)...)
+	diags = append(diags, validateProviderConfigs(nil, cfg, nil)...)
 
 	return cfg, diags
 }

terraform/configs/configschema/implied_type.go

@@ -47,6 +47,9 @@ func (b *Block) ContainsSensitive() bool {
 		if attrS.NestedType != nil && attrS.NestedType.ContainsSensitive() {
 			return true
 		}
+		if attrS.NestedType != nil && attrS.NestedType.ContainsSensitive() {
+			return true
+		}
 	}
 	for _, blockS := range b.BlockTypes {
 		if blockS.ContainsSensitive() {

terraform/configs/module_call.go

@@ -59,15 +59,35 @@ func decodeModuleBlock(block *hcl.Block, override bool) (*ModuleCall, hcl.Diagno
 		})
 	}
 
+	haveVersionArg := false
+	if attr, exists := content.Attributes["version"]; exists {
+		var versionDiags hcl.Diagnostics
+		mc.Version, versionDiags = decodeVersionConstraint(attr)
+		diags = append(diags, versionDiags...)
+		haveVersionArg = true
+	}
+
 	if attr, exists := content.Attributes["source"]; exists {
 		mc.SourceSet = true
 		mc.SourceAddrRange = attr.Expr.Range()
 		valDiags := gohcl.DecodeExpression(attr.Expr, nil, &mc.SourceAddrRaw)
 		diags = append(diags, valDiags...)
 		if !valDiags.HasErrors() {
-			addr, err := addrs.ParseModuleSource(mc.SourceAddrRaw)
+			var addr addrs.ModuleSource
+			var err error
+			if haveVersionArg {
+				addr, err = addrs.ParseModuleSourceRegistry(mc.SourceAddrRaw)
+			} else {
+				addr, err = addrs.ParseModuleSource(mc.SourceAddrRaw)
+			}
 			mc.SourceAddr = addr
 			if err != nil {
+				// NOTE: We leave mc.SourceAddr as nil for any situation where the
+				// source attribute is invalid, so any code which tries to carefully
+				// use the partial result of a failed config decode must be
+				// resilient to that.
+				mc.SourceAddr = nil
+
 				// NOTE: In practice it's actually very unlikely to end up here,
 				// because our source address parser can turn just about any string
 				// into some sort of remote package address, and so for most errors
@@ -87,25 +107,27 @@ func decodeModuleBlock(block *hcl.Block, override bool) (*ModuleCall, hcl.Diagno
 						Subject: mc.SourceAddrRange.Ptr(),
 					})
 				default:
-					diags = append(diags, &hcl.Diagnostic{
-						Severity: hcl.DiagError,
-						Summary:  "Invalid module source address",
-						Detail:   fmt.Sprintf("Failed to parse module source address: %s.", err),
-						Subject:  mc.SourceAddrRange.Ptr(),
-					})
+					if haveVersionArg {
+						// In this case we'll include some extra context that
+						// we assumed a registry source address due to the
+						// version argument.
+						diags = append(diags, &hcl.Diagnostic{
+							Severity: hcl.DiagError,
+							Summary:  "Invalid registry module source address",
+							Detail:   fmt.Sprintf("Failed to parse module registry address: %s.\n\nTerraform assumed that you intended a module registry source address because you also set the argument \"version\", which applies only to registry modules.", err),
+							Subject:  mc.SourceAddrRange.Ptr(),
+						})
+					} else {
+						diags = append(diags, &hcl.Diagnostic{
+							Severity: hcl.DiagError,
+							Summary:  "Invalid module source address",
+							Detail:   fmt.Sprintf("Failed to parse module source address: %s.", err),
+							Subject:  mc.SourceAddrRange.Ptr(),
+						})
+					}
 				}
 			}
 		}
-		// NOTE: We leave mc.SourceAddr as nil for any situation where the
-		// source attribute is invalid, so any code which tries to carefully
-		// use the partial result of a failed config decode must be
-		// resilient to that.
-	}
-
-	if attr, exists := content.Attributes["version"]; exists {
-		var versionDiags hcl.Diagnostics
-		mc.Version, versionDiags = decodeVersionConstraint(attr)
-		diags = append(diags, versionDiags...)
 	}
 
 	if attr, exists := content.Attributes["count"]; exists {