dependabot-terraform 0.149.4 → 0.152.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e9de51bfa366e94b80943405b7083988d76080444dc177b57d9a8fd425e9292f
-  data.tar.gz: 1d4794c8175cac535813c12a8e017e3b8e3c4f96068a91e5db3c75db5945ceba
+  metadata.gz: dfefb1320f00b268bba02b10255217750cb091d1cd275183a436d6bddcb799f3
+  data.tar.gz: 751a7d3e23094385b25cb7dd7d228dc92d6ca4a3ed4da5c61edd7e9b662a6348
 SHA512:
-  metadata.gz: 74431e13c158375f439e50127078fd7db31b56387cf3a2ff5d013ebff91427642c2b67874dd94a22e83d336f58efddcb6ec9edeb4181d7cadc25fe759fe12fcc
-  data.tar.gz: 384487d5ad087fee58324485f1c288ae7803f550e6b763128efadc883999931dd233182f56afc8c26ec2030d20179b234d32b0c96b535722c72fedf4cfa0e49e
+  metadata.gz: 02cc22ac7e9c4a6eb94d3d87fb2924aa04a8e671e477e35495960d067366f63832f11413b4cbbb9490c1ff732830676be5eabfe4eb6d08e83e7562ff5223f190
+  data.tar.gz: 48ffc333db0dbe7ca16e9caad59d5aeb36c49cd235145763be36d405503e16c6915f3f567f7303e726dd5024dce7904681505dc99bbf66db7d74f4f38218861d

data/lib/dependabot/terraform/file_fetcher.rb

@@ -23,6 +23,7 @@ module Dependabot
         fetched_files = []
         fetched_files += terraform_files
         fetched_files += terragrunt_files
+        fetched_files += [lock_file] if lock_file
 
         return fetched_files if fetched_files.any?
 
@@ -45,6 +46,10 @@ module Dependabot
           select { |f| f.type == "file" && terragrunt_file?(f.name) }.
           map { |f| fetch_file_from_host(f.name) }
       end
+
+      def lock_file
+        @lock_file ||= fetch_file_if_present(".terraform.lock.hcl")
+      end
     end
   end
 end

data/lib/dependabot/terraform/file_selector.rb

@@ -12,6 +12,14 @@ module FileSelector
   end
 
   def terragrunt_file?(file_name)
-    file_name != ".terraform.lock.hcl" && file_name.end_with?(".hcl")
+    !lock_file?(file_name) && file_name.end_with?(".hcl")
+  end
+
+  def lock_file?(filename)
+    filename == ".terraform.lock.hcl"
+  end
+
+  def lock_file
+    dependency_files.find { |f| lock_file?(f.name) }
   end
 end

data/lib/dependabot/terraform/file_updater.rb

@@ -4,6 +4,7 @@ require "dependabot/file_updaters"
 require "dependabot/file_updaters/base"
 require "dependabot/errors"
 require "dependabot/terraform/file_selector"
+require "dependabot/shared_helpers"
 
 module Dependabot
   module Terraform
@@ -21,10 +22,18 @@ module Dependabot
           next unless file_changed?(file)
 
           updated_content = updated_terraform_file_content(file)
+
           raise "Content didn't change!" if updated_content == file.content
 
           updated_files << updated_file(file: file, content: updated_content)
         end
+        updated_lockfile_content = update_lockfile_declaration
+
+        if updated_lockfile_content && lock_file.content != updated_lockfile_content
+          updated_files << updated_file(file: lock_file, content: updated_lockfile_content)
+        end
+
+        updated_files.compact!
 
         raise "No files changed!" if updated_files.none?
 
@@ -39,7 +48,7 @@ module Dependabot
         reqs = dependency.requirements.zip(dependency.previous_requirements).
                reject { |new_req, old_req| new_req == old_req }
 
-        # Loop through each changed requirement and update the files
+        # Loop through each changed requirement and update the files and lockfile
         reqs.each do |new_req, old_req|
           raise "Bad req match" unless new_req[:file] == old_req[:file]
           next unless new_req.fetch(:file) == file.name
@@ -81,6 +90,45 @@ module Dependabot
         end
       end
 
+      def update_lockfile_declaration
+        return if lock_file.nil?
+
+        new_req = dependency.requirements.first
+        content = lock_file.content.dup
+
+        provider_source = new_req[:source][:registry_hostname] + "/" + new_req[:source][:module_identifier]
+        declaration_regex = lockfile_declaration_regex(provider_source)
+        lockfile_dependency_removed = content.sub(declaration_regex, "")
+
+        SharedHelpers.in_a_temporary_directory do
+          write_dependency_files
+
+          File.write(".terraform.lock.hcl", lockfile_dependency_removed)
+          SharedHelpers.run_shell_command("terraform providers lock #{provider_source}")
+
+          updated_lockfile = File.read(".terraform.lock.hcl")
+          updated_dependency = updated_lockfile.scan(declaration_regex).first
+
+          # Terraform will occasionally update h1 hashes without updating the version of the dependency
+          # Here we make sure the dependency's version actually changes in the lockfile
+          unless updated_dependency.scan(declaration_regex).first.scan(/^\s*version\s*=.*/) ==
+                 content.scan(declaration_regex).first.scan(/^\s*version\s*=.*/)
+            content.sub!(declaration_regex, updated_dependency)
+          end
+        end
+
+        content
+      end
+
+      def write_dependency_files
+        dependency_files.each do |file|
+          # Do not include the .terraform directory or .terraform.lock.hcl
+          next if file.name.include?(".terraform")
+
+          File.write(file.name, file.content)
+        end
+      end
+
       def dependency
         # Terraform updates will only ever be updating a single dependency
         dependencies.first
@@ -131,6 +179,14 @@ module Dependabot
         source = dependency.requirements.map { |r| r[:source] }.compact.first
         source[:registry_hostname] || source["registry_hostname"] || "registry.terraform.io"
       end
+
+      def lockfile_declaration_regex(provider_source)
+        /
+          (?:(?!^\}).)*
+          provider\s*["']#{Regexp.escape(provider_source)}["']\s*\{
+          (?:(?!^\}).)*}
+        /mx
+      end
     end
   end
 end

data/lib/dependabot/terraform/registry_client.rb

@@ -75,11 +75,11 @@ module Dependabot
       #
       # @param service_key [String] the service type described in https://www.terraform.io/docs/internals/remote-service-discovery.html#supported-services
       # @param return String
-      # @raise [Dependabot::DependabotError] when the service is not available
+      # @raise [Dependabot::PrivateSourceAuthenticationFailure] when the service is not available
       def service_url_for(service_key)
         url_for(services.fetch(service_key))
       rescue KeyError
-        raise error("Host does not support required Terraform-native service")
+        raise Dependabot::PrivateSourceAuthenticationFailure, "Host does not support required Terraform-native service"
       end
 
       private

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-terraform
 version: !ruby/object:Gem::Version
-  version: 0.149.4
+  version: 0.152.0
 platform: ruby
 authors:
 - Dependabot
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-06-01 00:00:00.000000000 Z
+date: 2021-06-10 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dependabot-common
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.149.4
+        version: 0.152.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.149.4
+        version: 0.152.0
 - !ruby/object:Gem::Dependency
   name: byebug
   requirement: !ruby/object:Gem::Requirement
@@ -100,14 +100,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.15.0
+        version: 1.16.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.15.0
+        version: 1.16.0
 - !ruby/object:Gem::Dependency
   name: simplecov
   requirement: !ruby/object:Gem::Requirement