dependabot-terraform 0.149.5 → 0.152.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 9a9e700ab4432a3cb4a89b2fdf45703450f02837c53adfbd611eab3f67318059
-  data.tar.gz: ade464330ee565a1078044a80e5a46416b10a4f925bfffb970f2402983eea233
+  metadata.gz: f69c8207cead85572a7a56be9c9d47a6415d108e19f32c5a7a3425734b4c8cee
+  data.tar.gz: 32d836bf4305e5db560266b89a3e9f393bd3831c9e7802bf190791b0449292bc
 SHA512:
-  metadata.gz: 68d40bdc064bef052f36dcfb601dfa251f50d152a552eba1f9e4a1361333da6a971c7861d931b6d5bd6c55d3b2deff1df87ab756aec8c0222136db6f79116e9e
-  data.tar.gz: 28a31bfb8674917ca16e388373acfb19ebceb9bd643f9f2d7d92355227f672212e5ec035b17909b597c24134be6fab764eb26e122941a611eb08497233933196
+  metadata.gz: 27a13aa350707173fc7064ea944099607e9bf14115edafeeb6571afc81853f8e872f3418c407bdd5b551abff76d427df904955fcbe5091f725e2ccfa916b0798
+  data.tar.gz: 2395aa72efb2b73d79be7cf598c9c5b049be64accf66b5d826e05802f38768a866b8a7c47ea349dcb218c5534d91467224c715f67b918e9b6a3e9b58a951bf9c

data/lib/dependabot/terraform/file_fetcher.rb

@@ -23,6 +23,7 @@ module Dependabot
         fetched_files = []
         fetched_files += terraform_files
         fetched_files += terragrunt_files
+        fetched_files += [lock_file] if lock_file
 
         return fetched_files if fetched_files.any?
 
@@ -45,6 +46,10 @@ module Dependabot
           select { |f| f.type == "file" && terragrunt_file?(f.name) }.
           map { |f| fetch_file_from_host(f.name) }
       end
+
+      def lock_file
+        @lock_file ||= fetch_file_if_present(".terraform.lock.hcl")
+      end
     end
   end
 end

data/lib/dependabot/terraform/file_parser.rb

@@ -87,6 +87,8 @@ module Dependabot
       end
 
       def build_provider_dependency(file, name, details = {})
+        deprecated_provider_error(file) if deprecated_provider?(details)
+
         source_address = details.fetch("source", nil)
         version_req = details["version"]&.strip
         hostname, namespace, name = provider_source_from(source_address, name)
@@ -109,6 +111,21 @@ module Dependabot
         )
       end
 
+      def deprecated_provider_error(file)
+        raise Dependabot::DependencyFileNotParseable.new(
+          file.path,
+          "This terraform provider syntax is now deprecated.\n"\
+          "See https://www.terraform.io/docs/language/providers/requirements.html "\
+          "for the new Terraform v0.13+ provider syntax."
+        )
+      end
+
+      def deprecated_provider?(details)
+        # The old syntax for terraform providers v0.12- looked like
+        # "tls ~> 2.1" which gets parsed as a string instead of a hash
+        details.is_a?(String)
+      end
+
       def build_terragrunt_dependency(file, details)
         source = source_from(details)
         dep_name =

data/lib/dependabot/terraform/file_selector.rb

@@ -12,6 +12,14 @@ module FileSelector
   end
 
   def terragrunt_file?(file_name)
-    file_name != ".terraform.lock.hcl" && file_name.end_with?(".hcl")
+    !lock_file?(file_name) && file_name.end_with?(".hcl")
+  end
+
+  def lock_file?(filename)
+    filename == ".terraform.lock.hcl"
+  end
+
+  def lock_file
+    dependency_files.find { |f| lock_file?(f.name) }
   end
 end

data/lib/dependabot/terraform/file_updater.rb

@@ -4,6 +4,7 @@ require "dependabot/file_updaters"
 require "dependabot/file_updaters/base"
 require "dependabot/errors"
 require "dependabot/terraform/file_selector"
+require "dependabot/shared_helpers"
 
 module Dependabot
   module Terraform
@@ -21,10 +22,18 @@ module Dependabot
           next unless file_changed?(file)
 
           updated_content = updated_terraform_file_content(file)
+
           raise "Content didn't change!" if updated_content == file.content
 
           updated_files << updated_file(file: file, content: updated_content)
         end
+        updated_lockfile_content = update_lockfile_declaration
+
+        if updated_lockfile_content && lock_file.content != updated_lockfile_content
+          updated_files << updated_file(file: lock_file, content: updated_lockfile_content)
+        end
+
+        updated_files.compact!
 
         raise "No files changed!" if updated_files.none?
 
@@ -39,7 +48,7 @@ module Dependabot
         reqs = dependency.requirements.zip(dependency.previous_requirements).
                reject { |new_req, old_req| new_req == old_req }
 
-        # Loop through each changed requirement and update the files
+        # Loop through each changed requirement and update the files and lockfile
         reqs.each do |new_req, old_req|
           raise "Bad req match" unless new_req[:file] == old_req[:file]
           next unless new_req.fetch(:file) == file.name
@@ -81,6 +90,45 @@ module Dependabot
         end
       end
 
+      def update_lockfile_declaration
+        return if lock_file.nil?
+
+        new_req = dependency.requirements.first
+        content = lock_file.content.dup
+
+        provider_source = new_req[:source][:registry_hostname] + "/" + new_req[:source][:module_identifier]
+        declaration_regex = lockfile_declaration_regex(provider_source)
+        lockfile_dependency_removed = content.sub(declaration_regex, "")
+
+        SharedHelpers.in_a_temporary_directory do
+          write_dependency_files
+
+          File.write(".terraform.lock.hcl", lockfile_dependency_removed)
+          SharedHelpers.run_shell_command("terraform providers lock #{provider_source}")
+
+          updated_lockfile = File.read(".terraform.lock.hcl")
+          updated_dependency = updated_lockfile.scan(declaration_regex).first
+
+          # Terraform will occasionally update h1 hashes without updating the version of the dependency
+          # Here we make sure the dependency's version actually changes in the lockfile
+          unless updated_dependency.scan(declaration_regex).first.scan(/^\s*version\s*=.*/) ==
+                 content.scan(declaration_regex).first.scan(/^\s*version\s*=.*/)
+            content.sub!(declaration_regex, updated_dependency)
+          end
+        end
+
+        content
+      end
+
+      def write_dependency_files
+        dependency_files.each do |file|
+          # Do not include the .terraform directory or .terraform.lock.hcl
+          next if file.name.include?(".terraform")
+
+          File.write(file.name, file.content)
+        end
+      end
+
       def dependency
         # Terraform updates will only ever be updating a single dependency
         dependencies.first
@@ -131,6 +179,14 @@ module Dependabot
         source = dependency.requirements.map { |r| r[:source] }.compact.first
         source[:registry_hostname] || source["registry_hostname"] || "registry.terraform.io"
       end
+
+      def lockfile_declaration_regex(provider_source)
+        /
+          (?:(?!^\}).)*
+          provider\s*["']#{Regexp.escape(provider_source)}["']\s*\{
+          (?:(?!^\}).)*}
+        /mx
+      end
     end
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-terraform
 version: !ruby/object:Gem::Version
-  version: 0.149.5
+  version: 0.152.1
 platform: ruby
 authors:
 - Dependabot
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-06-02 00:00:00.000000000 Z
+date: 2021-06-11 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dependabot-common
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.149.5
+        version: 0.152.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.149.5
+        version: 0.152.1
 - !ruby/object:Gem::Dependency
   name: byebug
   requirement: !ruby/object:Gem::Requirement