dependabot-terraform 0.76.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 781b56819ef8fc54cb1b635f913f81139d149c80e6461d86b9e61e36916aa9c8
+  data.tar.gz: ed1697ae2b43e42d4b76db373643d28c3dff4c0f67c07291f8180fc56da0c341
+SHA512:
+  metadata.gz: b51f5746555c34bffed4736fa11217c8b24e8fb1d4f464846c750572e9e55f77680231b0d2603555f06ae14b35dc34bcc16808cd9740566c0d7ae24a2951900e
+  data.tar.gz: 01cbd90a18f476d9c7521c7facc5e225e1c2afd3b8954d4f0efb88daf69d370630d1a840b6eccbdd0add3c2fa277d46aa44935e6c6fd673d70dbe0b174f2cb54

data/helpers/build

@@ -0,0 +1,19 @@
+#!/bin/bash
+
+set -e
+
+install_dir=$1
+if [ -z "$install_dir" ]; then
+  echo "usage: $0 INSTALL_DIR"
+  exit 1
+fi
+
+if [ ! -d "$install_dir/bin" ]; then
+  mkdir -p "$install_dir/bin"
+fi
+
+os="$(uname -s | tr '[:upper:]' '[:lower:]')"
+github_url="https://github.com/kvz/json2hcl"
+url="${github_url}/releases/download/v0.0.6/json2hcl_v0.0.6_${os}_amd64"
+wget -O "$install_dir/bin/json2hcl" "$url"
+chmod +x "$install_dir/bin/json2hcl"

data/lib/dependabot/terraform.rb

@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+# These all need to be required so the various classes can be registered in a
+# lookup table of package manager names to concrete classes.
+require "dependabot/terraform/file_fetcher"
+require "dependabot/terraform/file_parser"
+require "dependabot/terraform/update_checker"
+require "dependabot/terraform/file_updater"
+require "dependabot/terraform/metadata_finder"
+require "dependabot/terraform/requirement"
+require "dependabot/terraform/version"

data/lib/dependabot/terraform/file_fetcher.rb

@@ -0,0 +1,50 @@
+# frozen_string_literal: true
+
+require "dependabot/file_fetchers"
+require "dependabot/file_fetchers/base"
+
+module Dependabot
+  module Terraform
+    class FileFetcher < Dependabot::FileFetchers::Base
+      def self.required_files_in?(filenames)
+        filenames.any? { |f| f.end_with?(".tf", ".tfvars") }
+      end
+
+      def self.required_files_message
+        "Repo must contain a Terraform configuration file."
+      end
+
+      private
+
+      def fetch_files
+        fetched_files = []
+        fetched_files += terraform_files
+        fetched_files += terragrunt_files
+
+        return fetched_files if fetched_files.any?
+
+        raise(
+          Dependabot::DependencyFileNotFound,
+          File.join(directory, "<anything>.tf")
+        )
+      end
+
+      def terraform_files
+        @terraform_files ||=
+          repo_contents(raise_errors: false).
+          select { |f| f.type == "file" && f.name.end_with?(".tf") }.
+          map { |f| fetch_file_from_host(f.name) }
+      end
+
+      def terragrunt_files
+        @terragrunt_files ||=
+          repo_contents(raise_errors: false).
+          select { |f| f.type == "file" && f.name.end_with?(".tfvars") }.
+          map { |f| fetch_file_from_host(f.name) }
+      end
+    end
+  end
+end
+
+Dependabot::FileFetchers.
+  register("terraform", Dependabot::Terraform::FileFetcher)

data/lib/dependabot/terraform/file_parser.rb

@@ -0,0 +1,267 @@
+# frozen_string_literal: true
+
+require "cgi"
+require "excon"
+require "nokogiri"
+require "dependabot/dependency"
+require "dependabot/file_parsers"
+require "dependabot/file_parsers/base"
+require "dependabot/git_commit_checker"
+require "dependabot/shared_helpers"
+require "dependabot/errors"
+
+module Dependabot
+  module Terraform
+    class FileParser < Dependabot::FileParsers::Base
+      require "dependabot/file_parsers/base/dependency_set"
+
+      ARCHIVE_EXTENSIONS = %w(.zip .tbz2 .tgz .txz).freeze
+
+      def parse
+        dependency_set = DependencySet.new
+
+        terraform_files.each do |file|
+          modules = parsed_file(file).fetch("module", []).map(&:first)
+          modules.each do |name, details|
+            dependency_set << build_terraform_dependency(file, name, details)
+          end
+        end
+
+        terragrunt_files.each do |file|
+          modules = parsed_file(file).fetch("terragrunt", []).first || {}
+          modules = modules.fetch("terraform", [])
+          modules.each do |details|
+            next unless details["source"]
+
+            dependency_set << build_terragrunt_dependency(file, details)
+          end
+        end
+
+        dependency_set.dependencies
+      end
+
+      private
+
+      def build_terraform_dependency(file, name, details)
+        details = details.first
+
+        source = source_from(details)
+        dep_name =
+          source[:type] == "registry" ? source[:module_identifier] : name
+        version_req = details["version"]&.strip
+        version =
+          if source[:type] == "git" then version_from_ref(source[:ref])
+          elsif version_req&.match?(/^\d/) then version_req
+          end
+
+        Dependency.new(
+          name: dep_name,
+          version: version,
+          package_manager: "terraform",
+          requirements: [
+            requirement: version_req,
+            groups: [],
+            file: file.name,
+            source: source
+          ]
+        )
+      end
+
+      def build_terragrunt_dependency(file, details)
+        source = source_from(details)
+        dep_name =
+          if Source.from_url(source[:url])
+            Source.from_url(source[:url]).repo
+          else
+            source[:url]
+          end
+
+        version = version_from_ref(source[:ref])
+
+        Dependency.new(
+          name: dep_name,
+          version: version,
+          package_manager: "terraform",
+          requirements: [
+            requirement: nil,
+            groups: [],
+            file: file.name,
+            source: source
+          ]
+        )
+      end
+
+      # Full docs at https://www.terraform.io/docs/modules/sources.html
+      def source_from(details_hash)
+        raw_source = details_hash.fetch("source")
+        bare_source = get_proxied_source(raw_source)
+
+        source_details =
+          case source_type(bare_source)
+          when :http_archive, :path, :mercurial, :s3
+            { type: source_type(bare_source).to_s, url: bare_source }
+          when :github, :bitbucket, :git
+            git_source_details_from(bare_source)
+          when :registry
+            registry_source_details_from(bare_source)
+          end
+
+        source_details[:proxy_url] = raw_source if raw_source != bare_source
+        source_details
+      end
+
+      def registry_source_details_from(source_string)
+        parts = source_string.split("/")
+
+        if parts.count == 3
+          {
+            type: "registry",
+            registry_hostname: "registry.terraform.io",
+            module_identifier: source_string
+          }
+        elsif parts.count == 4
+          {
+            type: "registry",
+            registry_hostname: parts.first,
+            module_identifier: parts[1..3].join("/")
+          }
+        else
+          msg = "Invalid registry source specified: '#{source_string}'"
+          raise DependencyFileNotEvaluatable, msg
+        end
+      end
+
+      def git_source_details_from(source_string)
+        git_url = source_string.strip.gsub(/^git::/, "")
+        unless git_url.start_with?("git@") || git_url.include?("://")
+          git_url = "https://" + git_url
+        end
+
+        bare_uri =
+          if git_url.include?("git@")
+            git_url.split("git@").last.sub(":", "/")
+          else
+            git_url.sub(%r{.*?://}, "")
+          end
+
+        querystr = URI.parse("https://" + bare_uri).query
+        git_url = git_url.split(%r{(?<!:)//}).first.gsub("?#{querystr}", "")
+
+        {
+          type: "git",
+          url: git_url,
+          branch: nil,
+          ref: CGI.parse(querystr.to_s)["ref"].first
+        }
+      end
+
+      def version_from_ref(ref)
+        version_regex = GitCommitChecker::VERSION_REGEX
+        return unless ref&.match?(version_regex)
+
+        ref.match(version_regex).named_captures.fetch("version")
+      end
+
+      # See https://www.terraform.io/docs/modules/sources.html#http-urls for
+      # details of how Terraform handle HTTP(S) sources for modules
+      def get_proxied_source(raw_source)
+        return raw_source unless raw_source.start_with?("http")
+
+        uri = URI.parse(raw_source.split(%r{(?<!:)//}).first)
+        return raw_source if uri.path.end_with?(*ARCHIVE_EXTENSIONS)
+        return raw_source if URI.parse(raw_source).query.include?("archive=")
+
+        url = raw_source.split(%r{(?<!:)//}).first + "?terraform-get=1"
+
+        response = Excon.get(
+          url,
+          idempotent: true,
+          **SharedHelpers.excon_defaults
+        )
+
+        if response.headers["X-Terraform-Get"]
+          return response.headers["X-Terraform-Get"]
+        end
+
+        doc = Nokogiri::XML(response.body)
+        doc.css("meta").find do |tag|
+          tag.attributes&.fetch("name", nil)&.value == "terraform-get"
+        end&.attributes&.fetch("content", nil)&.value
+      end
+
+      # rubocop:disable Metrics/CyclomaticComplexity
+      # rubocop:disable Metrics/PerceivedComplexity
+      def source_type(source_string)
+        return :path if source_string.start_with?(".")
+        return :github if source_string.start_with?("github.com/")
+        return :bitbucket if source_string.start_with?("bitbucket.org/")
+        return :git if source_string.start_with?("git::")
+        return :mercurial if source_string.start_with?("hg::")
+        return :s3 if source_string.start_with?("s3::")
+
+        if source_string.split("/").first.include?("::")
+          raise "Unknown src: #{source_string}"
+        end
+
+        return :registry unless source_string.start_with?("http")
+
+        path_uri = URI.parse(source_string.split(%r{(?<!:)//}).first)
+        query_uri = URI.parse(source_string)
+        return :http_archive if path_uri.path.end_with?(*ARCHIVE_EXTENSIONS)
+        return :http_archive if query_uri.query.include?("archive=")
+
+        raise "HTTP source, but not an archive!"
+      end
+      # rubocop:enable Metrics/CyclomaticComplexity
+      # rubocop:enable Metrics/PerceivedComplexity
+
+      def parsed_file(file)
+        @parsed_buildfile ||= {}
+        @parsed_buildfile[file.name] ||=
+          SharedHelpers.in_a_temporary_directory do
+            File.write("tmp.tf", file.content)
+
+            command = "#{terraform_parser_path} -reverse < tmp.tf"
+            raw_response = nil
+            IO.popen(command) { |process| raw_response = process.read }
+
+            unless $CHILD_STATUS.success?
+              raise SharedHelpers::HelperSubprocessFailed.new(
+                raw_response,
+                command
+              )
+            end
+
+            JSON.parse(raw_response)
+          end
+      end
+
+      def terraform_parser_path
+        helper_bin_dir = File.join(native_helpers_root, "terraform/bin")
+        Pathname.new(File.join(helper_bin_dir, "json2hcl")).cleanpath.to_path
+      end
+
+      def native_helpers_root
+        default_path = File.join(__dir__, "../../../helpers/install-dir")
+        ENV.fetch("DEPENDABOT_NATIVE_HELPERS_PATH", default_path)
+      end
+
+      def terraform_files
+        dependency_files.select { |f| f.name.end_with?(".tf") }
+      end
+
+      def terragrunt_files
+        dependency_files.select { |f| f.name.end_with?(".tfvars") }
+      end
+
+      def check_required_files
+        return if [*terraform_files, *terragrunt_files].any?
+
+        raise "No Terraform configuration file!"
+      end
+    end
+  end
+end
+
+Dependabot::FileParsers.
+  register("terraform", Dependabot::Terraform::FileParser)

data/lib/dependabot/terraform/file_updater.rb

@@ -0,0 +1,130 @@
+# frozen_string_literal: true
+
+require "dependabot/file_updaters"
+require "dependabot/file_updaters/base"
+require "dependabot/errors"
+
+module Dependabot
+  module Terraform
+    class FileUpdater < Dependabot::FileUpdaters::Base
+      def self.updated_files_regex
+        [/\.tf$/, /\.tfvars$/]
+      end
+
+      def updated_dependency_files
+        updated_files = []
+
+        [*terraform_files, *terragrunt_files].each do |file|
+          next unless file_changed?(file)
+
+          updated_content = updated_terraform_file_content(file)
+          raise "Content didn't change!" if updated_content == file.content
+
+          updated_files << updated_file(file: file, content: updated_content)
+        end
+
+        raise "No files changed!" if updated_files.none?
+
+        updated_files
+      end
+
+      private
+
+      def updated_terraform_file_content(file)
+        content = file.content.dup
+
+        reqs = dependency.requirements.zip(dependency.previous_requirements).
+               reject { |new_req, old_req| new_req == old_req }
+
+        # Loop through each changed requirement and update the files
+        reqs.each do |new_req, old_req|
+          raise "Bad req match" unless new_req[:file] == old_req[:file]
+          next unless new_req.fetch(:file) == file.name
+
+          case new_req[:source][:type]
+          when "git"
+            update_git_declaration(new_req, old_req, content, file.name)
+          when "registry"
+            update_registry_declaration(new_req, old_req, content)
+          else
+            raise "Don't know how to update a #{new_req[:source][:type]} "\
+                  "declaration!"
+          end
+        end
+
+        content
+      end
+
+      def update_git_declaration(new_req, old_req, updated_content, filename)
+        url = old_req.fetch(:source)[:url].gsub(%r{^https://}, "")
+        tag = old_req.fetch(:source)[:ref]
+        url_regex = /#{Regexp.quote(url)}.*ref=#{Regexp.quote(tag)}/
+
+        declaration_regex = git_declaration_regex(filename)
+
+        updated_content.sub!(declaration_regex) do |regex_match|
+          regex_match.sub(url_regex) do |url_match|
+            url_match.sub(old_req[:source][:ref], new_req[:source][:ref])
+          end
+        end
+      end
+
+      def update_registry_declaration(new_req, old_req, updated_content)
+        updated_content.sub!(registry_declaration_regex) do |regex_match|
+          regex_match.sub(/version\s*=.*/) do |req_line_match|
+            req_line_match.sub(old_req[:requirement], new_req[:requirement])
+          end
+        end
+      end
+
+      def dependency
+        # Terraform updates will only ever be updating a single dependency
+        dependencies.first
+      end
+
+      def files_with_requirement
+        filenames = dependency.requirements.map { |r| r[:file] }
+        dependency_files.select { |file| filenames.include?(file.name) }
+      end
+
+      def terraform_files
+        dependency_files.select { |f| f.name.end_with?(".tf") }
+      end
+
+      def terragrunt_files
+        dependency_files.select { |f| f.name.end_with?(".tfvars") }
+      end
+
+      def check_required_files
+        return if [*terraform_files, *terragrunt_files].any?
+
+        raise "No Terraform configuration file!"
+      end
+
+      def registry_declaration_regex
+        /
+          (?<=\{)
+          (?:(?!^\}).)*
+          source\s*=\s*["']#{Regexp.escape(dependency.name)}["']
+          (?:(?!^\}).)*
+        /mx
+      end
+
+      def git_declaration_regex(filename)
+        # For terragrunt dependencies there's not a lot we can base the
+        # regex on. Just look for declarations within a `terraform` block
+        return /terraform\s*\{(?:(?!^\}).)*/m if filename.end_with?(".tfvars")
+
+        # For modules we can do better - filter for module blocks that use the
+        # name of the dependency
+        /
+          module\s+["']#{Regexp.escape(dependency.name)}["']\s*\{
+          (?:(?!^\}).)*
+        /mx
+      end
+    end
+  end
+end
+
+Dependabot::FileUpdaters.
+  register("terraform", Dependabot::Terraform::FileUpdater)

data/lib/dependabot/terraform/metadata_finder.rb

@@ -0,0 +1,70 @@
+# frozen_string_literal: true
+
+require "excon"
+require "json"
+require "dependabot/metadata_finders"
+require "dependabot/metadata_finders/base"
+require "dependabot/shared_helpers"
+
+module Dependabot
+  module Terraform
+    class MetadataFinder < Dependabot::MetadataFinders::Base
+      private
+
+      def look_up_source
+        case new_source_type
+        when "git" then find_source_from_git_url
+        when "registry" then find_source_from_registry_details
+        else raise "Unexpected source type: #{new_source_type}"
+        end
+      end
+
+      def new_source_type
+        sources =
+          dependency.requirements.map { |r| r.fetch(:source) }.uniq.compact
+
+        return "default" if sources.empty?
+        raise "Multiple sources! #{sources.join(', ')}" if sources.count > 1
+
+        sources.first[:type] || sources.first.fetch("type")
+      end
+
+      def find_source_from_git_url
+        info = dependency.requirements.map { |r| r[:source] }.compact.first
+
+        url = info[:url] || info.fetch("url")
+        Source.from_url(url)
+      end
+
+      # Registry API docs:
+      # https://www.terraform.io/docs/registry/api.html
+      def find_source_from_registry_details
+        info = dependency.requirements.map { |r| r[:source] }.compact.first
+
+        hostname = info[:registry_hostname] || info["registry_hostname"]
+
+        # TODO: Implement service discovery for custom registries
+        return unless hostname == "registry.terraform.io"
+
+        url = "https://registry.terraform.io/v1/modules/"\
+              "#{dependency.name}/#{dependency.version}"
+
+        response = Excon.get(
+          url,
+          idempotent: true,
+          **SharedHelpers.excon_defaults
+        )
+
+        unless response.status == 200
+          raise "Response from registry was #{response.status}"
+        end
+
+        source_url = JSON.parse(response.body).fetch("source")
+        Source.from_url(source_url) if source_url
+      end
+    end
+  end
+end
+
+Dependabot::MetadataFinders.
+  register("terraform", Dependabot::Terraform::MetadataFinder)

data/lib/dependabot/terraform/requirement.rb

@@ -0,0 +1,34 @@
+# frozen_string_literal: true
+
+require "dependabot/utils"
+require "dependabot/terraform/version"
+
+# Just ensures that Terraform requirements use Terraform versions
+module Dependabot
+  module Terraform
+    class Requirement < Gem::Requirement
+      def self.parse(obj)
+        return ["=", Version.new(obj.to_s)] if obj.is_a?(Gem::Version)
+
+        unless (matches = PATTERN.match(obj.to_s))
+          msg = "Illformed requirement [#{obj.inspect}]"
+          raise BadRequirementError, msg
+        end
+
+        return DefaultRequirement if matches[1] == ">=" && matches[2] == "0"
+
+        [matches[1] || "=", Terraform::Version.new(matches[2])]
+      end
+
+      # For consistency with other langauges, we define a requirements array.
+      # Terraform doesn't have an `OR` separator for requirements, so it
+      # always contains a single element.
+      def self.requirements_array(requirement_string)
+        [new(requirement_string)]
+      end
+    end
+  end
+end
+
+Dependabot::Utils.
+  register_requirement_class("terraform", Dependabot::Terraform::Requirement)

data/lib/dependabot/terraform/requirements_updater.rb

@@ -0,0 +1,139 @@
+# frozen_string_literal: true
+
+####################################################################
+# For more details on Terraform version constraints, see:          #
+# https://www.terraform.io/docs/modules/usage.html#module-versions #
+####################################################################
+
+require "dependabot/terraform/version"
+require "dependabot/terraform/requirement"
+
+module Dependabot
+  module Terraform
+    class RequirementsUpdater
+      def initialize(requirements:, latest_version:,
+                     tag_for_latest_version:)
+        @requirements = requirements
+        @tag_for_latest_version = tag_for_latest_version
+
+        return unless latest_version
+        return unless version_class.correct?(latest_version)
+
+        @latest_version = version_class.new(latest_version)
+      end
+
+      def updated_requirements
+        return requirements unless latest_version
+
+        # Note: Order is important here. The FileUpdater needs the updated
+        # requirement at index `i` to correspond to the previous requirement
+        # at the same index.
+        requirements.map do |req|
+          case req.dig(:source, :type)
+          when "git" then update_git_requirement(req)
+          when "registry" then update_registry_requirement(req)
+          else req
+          end
+        end
+      end
+
+      private
+
+      attr_reader :requirements, :latest_version, :tag_for_latest_version
+
+      def update_git_requirement(req)
+        return req unless req.dig(:source, :ref)
+        return req unless tag_for_latest_version
+
+        req.merge(source: req[:source].merge(ref: tag_for_latest_version))
+      end
+
+      def update_registry_requirement(req)
+        return req if req.fetch(:requirement).nil?
+
+        string_req = req.fetch(:requirement).strip
+        ruby_req = requirement_class.new(string_req)
+        return req if ruby_req.satisfied_by?(latest_version)
+
+        new_req =
+          if ruby_req.exact? then latest_version.to_s
+          elsif string_req.start_with?("~>")
+            update_twiddle_version(string_req).to_s
+          else
+            update_range(string_req).map(&:to_s).join(", ")
+          end
+
+        req.merge(requirement: new_req)
+      end
+
+      # Updates the version in a "~>" constraint to allow the given version
+      def update_twiddle_version(req_string)
+        old_version = requirement_class.new(req_string).
+                      requirements.first.last
+        updated_version = at_same_precision(latest_version, old_version)
+        req_string.sub(old_version.to_s, updated_version)
+      end
+
+      def update_range(req_string)
+        requirement_class.new(req_string).requirements.flat_map do |r|
+          next r if r.satisfied_by?(latest_version)
+
+          case op = r.requirements.first.first
+          when "<", "<=" then [update_greatest_version(r, latest_version)]
+          when "!=" then []
+          else raise "Unexpected operation for unsatisfied req: #{op}"
+          end
+        end
+      end
+
+      def at_same_precision(new_version, old_version)
+        release_precision =
+          old_version.to_s.split(".").select { |i| i.match?(/^\d+$/) }.count
+        prerelease_precision =
+          old_version.to_s.split(".").count - release_precision
+
+        new_release =
+          new_version.to_s.split(".").first(release_precision)
+        new_prerelease =
+          new_version.to_s.split(".").
+          drop_while { |i| i.match?(/^\d+$/) }.
+          first([prerelease_precision, 1].max)
+
+        [*new_release, *new_prerelease].join(".")
+      end
+
+      # Updates the version in a "<" or "<=" constraint to allow the given
+      # version
+      def update_greatest_version(requirement, version_to_be_permitted)
+        if version_to_be_permitted.is_a?(String)
+          version_to_be_permitted =
+            version_class.new(version_to_be_permitted)
+        end
+        op, version = requirement.requirements.first
+        version = version.release if version.prerelease?
+
+        index_to_update =
+          version.segments.map.with_index { |seg, i| seg.zero? ? 0 : i }.max
+
+        new_segments = version.segments.map.with_index do |_, index|
+          if index < index_to_update
+            version_to_be_permitted.segments[index]
+          elsif index == index_to_update
+            version_to_be_permitted.segments[index] + 1
+          else 0
+          end
+        end
+
+        requirement_class.new("#{op} #{new_segments.join('.')}")
+      end
+
+      def version_class
+        Version
+      end
+
+      def requirement_class
+        Requirement
+      end
+    end
+  end
+end

data/lib/dependabot/terraform/update_checker.rb

@@ -0,0 +1,197 @@
+# frozen_string_literal: true
+
+require "dependabot/update_checkers"
+require "dependabot/update_checkers/base"
+require "dependabot/git_commit_checker"
+require "dependabot/terraform/requirements_updater"
+require "dependabot/terraform/requirement"
+require "dependabot/terraform/version"
+
+module Dependabot
+  module Terraform
+    class UpdateChecker < Dependabot::UpdateCheckers::Base
+      def latest_version
+        return latest_version_for_git_dependency if git_dependency?
+        return latest_version_for_registry_dependency if registry_dependency?
+        # Other sources (mercurial, path dependencies) just return `nil`
+      end
+
+      def latest_resolvable_version
+        # No concept of resolvability for terraform modules (that we're aware
+        # of - there may be in future).
+        latest_version
+      end
+
+      def latest_resolvable_version_with_no_unlock
+        # Irrelevant, since Terraform doesn't have a lockfile
+        nil
+      end
+
+      def updated_requirements
+        RequirementsUpdater.new(
+          requirements: dependency.requirements,
+          latest_version: latest_version&.to_s,
+          tag_for_latest_version: tag_for_latest_version
+        ).updated_requirements
+      end
+
+      def requirements_unlocked_or_can_be?
+        # If the requirement comes from a proxy URL then there's no way for
+        # us to update it
+        !proxy_requirement?
+      end
+
+      def requirement_class
+        Requirement
+      end
+
+      def version_class
+        Version
+      end
+
+      private
+
+      def latest_version_resolvable_with_full_unlock?
+        # Full unlock checks aren't relevant for Terraform files
+        false
+      end
+
+      def updated_dependencies_after_full_unlock
+        raise NotImplementedError
+      end
+
+      def latest_version_for_registry_dependency
+        return unless registry_dependency?
+
+        if @latest_version_for_registry_dependency
+          return @latest_version_for_registry_dependency
+        end
+
+        versions = all_registry_versions
+        versions.reject!(&:prerelease?) unless wants_prerelease?
+        versions.reject! { |v| ignore_reqs.any? { |r| r.satisfied_by?(v) } }
+
+        @latest_version_for_registry_dependency = versions.max
+      end
+
+      def all_registry_versions
+        hostname = dependency_source_details.fetch(:registry_hostname)
+        identifier = dependency_source_details.fetch(:module_identifier)
+
+        # TODO: Implement service discovery for custom registries
+        return unless hostname == "registry.terraform.io"
+
+        url = "https://registry.terraform.io/v1/modules/"\
+              "#{identifier}/versions"
+
+        response = Excon.get(
+          url,
+          idempotent: true,
+          **SharedHelpers.excon_defaults
+        )
+
+        unless response.status == 200
+          raise "Response from registry was #{response.status}"
+        end
+
+        JSON.parse(response.body).
+          fetch("modules").first.fetch("versions").
+          map { |release| version_class.new(release.fetch("version")) }
+      end
+
+      def wants_prerelease?
+        current_version = dependency.version
+        if current_version &&
+           version_class.correct?(current_version) &&
+           version_class.new(current_version).prerelease?
+          return true
+        end
+
+        dependency.requirements.any? do |req|
+          req[:requirement]&.match?(/\d-[A-Za-z0-9]/)
+        end
+      end
+
+      def latest_version_for_git_dependency
+        # If the module isn't pinned then there's nothing for us to update
+        # (since there's no lockfile to update the version in). We still
+        # return the latest commit for the given branch, in order to keep
+        # this method consistent
+        unless git_commit_checker.pinned?
+          return git_commit_checker.head_commit_for_current_branch
+        end
+
+        # If the dependency is pinned to a tag that looks like a version then
+        # we want to update that tag. Because we don't have a lockfile, the
+        # latest version is the tag itself.
+        if git_commit_checker.pinned_ref_looks_like_version?
+          latest_tag = git_commit_checker.local_tag_for_latest_version&.
+                       fetch(:tag)
+          version_rgx = GitCommitChecker::VERSION_REGEX
+          return unless latest_tag.match(version_rgx)
+
+          version = latest_tag.match(version_rgx).
+                    named_captures.fetch("version")
+          return version_class.new(version)
+        end
+
+        # If the dependency is pinned to a tag that doesn't look like a
+        # version then there's nothing we can do.
+        nil
+      end
+
+      def tag_for_latest_version
+        return unless git_commit_checker.git_dependency?
+        return unless git_commit_checker.pinned?
+        return unless git_commit_checker.pinned_ref_looks_like_version?
+
+        latest_tag = git_commit_checker.local_tag_for_latest_version&.
+                     fetch(:tag)
+
+        version_rgx = GitCommitChecker::VERSION_REGEX
+        return unless latest_tag.match(version_rgx)
+
+        latest_tag
+      end
+
+      def proxy_requirement?
+        dependency.requirements.any? do |req|
+          req.fetch(:source)&.fetch(:proxy_url, nil)
+        end
+      end
+
+      def registry_dependency?
+        return false if dependency_source_details.nil?
+
+        dependency_source_details.fetch(:type) == "registry"
+      end
+
+      def dependency_source_details
+        sources =
+          dependency.requirements.map { |r| r.fetch(:source) }.uniq.compact
+
+        raise "Multiple sources! #{sources.join(', ')}" if sources.count > 1
+
+        sources.first
+      end
+
+      def git_dependency?
+        git_commit_checker.git_dependency?
+      end
+
+      def git_commit_checker
+        @git_commit_checker ||=
+          GitCommitChecker.new(
+            dependency: dependency,
+            credentials: credentials,
+            ignored_versions: ignored_versions,
+            requirement_class: Requirement,
+            version_class: Version
+          )
+      end
+    end
+  end
+end
+
+Dependabot::UpdateCheckers.
+  register("terraform", Dependabot::Terraform::UpdateChecker)

data/lib/dependabot/terraform/version.rb

@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+# Terraform pre-release versions use 1.0.1-rc1 syntax, which Gem::Version
+# converts into 1.0.1.pre.rc1. We override the `to_s` method to stop that
+# alteration.
+#
+# See, for example, https://releases.hashicorp.com/terraform/
+
+module Dependabot
+  module Terraform
+    class Version < Gem::Version
+      def initialize(version)
+        @version_string = version.to_s
+        super
+      end
+
+      def to_s
+        @version_string
+      end
+    end
+  end
+end
+
+Dependabot::Utils.
+  register_version_class("terraform", Dependabot::Terraform::Version)

metadata

@@ -0,0 +1,180 @@
+--- !ruby/object:Gem::Specification
+name: dependabot-terraform
+version: !ruby/object:Gem::Version
+  version: 0.76.1
+platform: ruby
+authors:
+- Dependabot
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2018-12-06 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: dependabot-core
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 0.76.1
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 0.76.1
+- !ruby/object:Gem::Dependency
+  name: byebug
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '12'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '12'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.8'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.8'
+- !ruby/object:Gem::Dependency
+  name: rspec-its
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.2'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.2'
+- !ruby/object:Gem::Dependency
+  name: rspec_junit_formatter
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.4'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.4'
+- !ruby/object:Gem::Dependency
+  name: rubocop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.61'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.61'
+- !ruby/object:Gem::Dependency
+  name: vcr
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '4.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '4.0'
+- !ruby/object:Gem::Dependency
+  name: webmock
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.4'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.4'
+description: Automated dependency management for Ruby, JavaScript, Python, PHP, Elixir,
+  Rust, Java, .NET, Elm and Go
+email: support@dependabot.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- helpers/build
+- lib/dependabot/terraform.rb
+- lib/dependabot/terraform/file_fetcher.rb
+- lib/dependabot/terraform/file_parser.rb
+- lib/dependabot/terraform/file_updater.rb
+- lib/dependabot/terraform/metadata_finder.rb
+- lib/dependabot/terraform/requirement.rb
+- lib/dependabot/terraform/requirements_updater.rb
+- lib/dependabot/terraform/update_checker.rb
+- lib/dependabot/terraform/version.rb
+homepage: https://github.com/dependabot/dependabot-core
+licenses:
+- Nonstandard
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 2.5.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 2.5.0
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.7.6
+signing_key: 
+specification_version: 4
+summary: Terraform support for dependabot-core
+test_files: []