dependabot-terraform 0.181.0 → 0.182.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/lib/dependabot/terraform/file_updater.rb +99 -7
- metadata +4 -4
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 74fdece7083163ed271c5f4b0ff5145ea87b934bd636a3701c511521cbad7b18
|
|
4
|
+
data.tar.gz: d7baa6837144c41943751d307b9b36db22dfd2ce63dbe8936a21b4734b3676f5
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 28e794e53f62c43cb89a543ec3f9702cd9a4efdc3ce72ac81cb0426ad0e3faa9abfd2094545514325092216716cbcfbe4ca6646c83d05fe39ed5c4159063e680
|
|
7
|
+
data.tar.gz: d5e81c178ead5f6dff60d54b4e814cf1514ed638eb8777cfc2a19c3ce6f44a11f8591c6f6a808d820623f74ff99e9673e9ddd7797179ce5c32322ba1df03cf9a
|
|
@@ -94,25 +94,110 @@ module Dependabot
|
|
|
94
94
|
end
|
|
95
95
|
end
|
|
96
96
|
|
|
97
|
-
def
|
|
97
|
+
def extract_provider_h1_hashes(content, declaration_regex)
|
|
98
|
+
content.match(declaration_regex).to_s.
|
|
99
|
+
match(hashes_object_regex).to_s.
|
|
100
|
+
split("\n").map { |hash| hash.match(hashes_string_regex).to_s }.
|
|
101
|
+
select { |h| h&.match?(/^h1:/) }
|
|
102
|
+
end
|
|
103
|
+
|
|
104
|
+
def lockfile_details(new_req)
|
|
105
|
+
content = lock_file.content.dup
|
|
106
|
+
provider_source = new_req[:source][:registry_hostname] + "/" + new_req[:source][:module_identifier]
|
|
107
|
+
declaration_regex = lockfile_declaration_regex(provider_source)
|
|
108
|
+
|
|
109
|
+
[content, provider_source, declaration_regex]
|
|
110
|
+
end
|
|
111
|
+
|
|
112
|
+
def lookup_hash_architecture # rubocop:disable Metrics/AbcSize, Metrics/MethodLength, Metrics/PerceivedComplexity
|
|
113
|
+
new_req = dependency.requirements.first
|
|
114
|
+
|
|
115
|
+
# NOTE: Only providers are inlcuded in the lockfile, modules are not
|
|
116
|
+
return unless new_req[:source][:type] == "provider"
|
|
117
|
+
|
|
118
|
+
architectures = []
|
|
119
|
+
content, provider_source, declaration_regex = lockfile_details(new_req)
|
|
120
|
+
hashes = extract_provider_h1_hashes(content, declaration_regex)
|
|
121
|
+
|
|
122
|
+
# These are ordered in assumed popularity
|
|
123
|
+
possible_architectures = %w(
|
|
124
|
+
linux_amd64
|
|
125
|
+
darwin_amd64
|
|
126
|
+
windows_amd64
|
|
127
|
+
darwin_arm64
|
|
128
|
+
linux_arm64
|
|
129
|
+
)
|
|
130
|
+
|
|
131
|
+
base_dir = dependency_files.first.directory
|
|
132
|
+
lockfile_hash_removed = content.sub(hashes_object_regex, "")
|
|
133
|
+
|
|
134
|
+
# This runs in the same directory as the actual lockfile update so
|
|
135
|
+
# the platform must be determined before the updated manifest files
|
|
136
|
+
# are written to disk
|
|
137
|
+
SharedHelpers.in_a_temporary_repo_directory(base_dir, repo_contents_path) do
|
|
138
|
+
possible_architectures.each do |arch|
|
|
139
|
+
# Exit early if we have detected all of the architectures present
|
|
140
|
+
break if architectures.count == hashes.count
|
|
141
|
+
|
|
142
|
+
# Terraform will update the lockfile in place so we use a fresh lockfile for each lookup
|
|
143
|
+
File.write(".terraform.lock.hcl", lockfile_hash_removed)
|
|
144
|
+
|
|
145
|
+
SharedHelpers.run_shell_command("terraform providers lock -platform=#{arch} #{provider_source} -no-color")
|
|
146
|
+
|
|
147
|
+
updated_lockfile = File.read(".terraform.lock.hcl")
|
|
148
|
+
updated_hashes = extract_provider_h1_hashes(updated_lockfile, declaration_regex)
|
|
149
|
+
next if updated_hashes.nil?
|
|
150
|
+
|
|
151
|
+
# Check if the architecture is present in the original lockfile
|
|
152
|
+
hashes.each do |hash|
|
|
153
|
+
updated_hashes.select { |h| h.match?(/^h1:/) }.each do |updated_hash|
|
|
154
|
+
architectures.append(arch.to_sym) if hash == updated_hash
|
|
155
|
+
end
|
|
156
|
+
end
|
|
157
|
+
|
|
158
|
+
File.delete(".terraform.lock.hcl")
|
|
159
|
+
end
|
|
160
|
+
rescue SharedHelpers::HelperSubprocessFailed => e
|
|
161
|
+
if @retrying_lock && e.message.match?(MODULE_NOT_INSTALLED_ERROR)
|
|
162
|
+
mod = e.message.match(MODULE_NOT_INSTALLED_ERROR).named_captures.fetch("mod")
|
|
163
|
+
raise Dependabot::DependencyFileNotResolvable, "Attempt to install module #{mod} failed"
|
|
164
|
+
end
|
|
165
|
+
raise if @retrying_lock || !e.message.include?("terraform init")
|
|
166
|
+
|
|
167
|
+
# NOTE: Modules need to be installed before terraform can update the lockfile
|
|
168
|
+
@retrying_lock = true
|
|
169
|
+
run_terraform_init
|
|
170
|
+
retry
|
|
171
|
+
end
|
|
172
|
+
|
|
173
|
+
architectures.to_a
|
|
174
|
+
end
|
|
175
|
+
|
|
176
|
+
def architecture_type
|
|
177
|
+
@architecture_type ||= lookup_hash_architecture.empty? ? [:linux_amd64] : lookup_hash_architecture
|
|
178
|
+
end
|
|
179
|
+
|
|
180
|
+
def update_lockfile_declaration(updated_manifest_files) # rubocop:disable Metrics/AbcSize, Metrics/PerceivedComplexity
|
|
98
181
|
return if lock_file.nil?
|
|
99
182
|
|
|
100
183
|
new_req = dependency.requirements.first
|
|
101
184
|
# NOTE: Only providers are inlcuded in the lockfile, modules are not
|
|
102
185
|
return unless new_req[:source][:type] == "provider"
|
|
103
186
|
|
|
104
|
-
content =
|
|
105
|
-
provider_source = new_req[:source][:registry_hostname] + "/" + new_req[:source][:module_identifier]
|
|
106
|
-
declaration_regex = lockfile_declaration_regex(provider_source)
|
|
187
|
+
content, provider_source, declaration_regex = lockfile_details(new_req)
|
|
107
188
|
lockfile_dependency_removed = content.sub(declaration_regex, "")
|
|
108
189
|
|
|
109
190
|
base_dir = dependency_files.first.directory
|
|
110
191
|
SharedHelpers.in_a_temporary_repo_directory(base_dir, repo_contents_path) do
|
|
192
|
+
# Determine the provider using the original manifest files
|
|
193
|
+
platforms = architecture_type.map { |arch| "-platform=#{arch}" }.join(" ")
|
|
194
|
+
|
|
111
195
|
# Update the provider requirements in case the previous requirement doesn't allow the new version
|
|
112
196
|
updated_manifest_files.each { |f| File.write(f.name, f.content) }
|
|
113
197
|
|
|
114
198
|
File.write(".terraform.lock.hcl", lockfile_dependency_removed)
|
|
115
|
-
|
|
199
|
+
|
|
200
|
+
SharedHelpers.run_shell_command("terraform providers lock #{platforms} #{provider_source}")
|
|
116
201
|
|
|
117
202
|
updated_lockfile = File.read(".terraform.lock.hcl")
|
|
118
203
|
updated_dependency = updated_lockfile.scan(declaration_regex).first
|
|
@@ -130,8 +215,7 @@ module Dependabot
|
|
|
130
215
|
end
|
|
131
216
|
raise if @retrying_lock || !e.message.include?("terraform init")
|
|
132
217
|
|
|
133
|
-
# NOTE: Modules need to be installed before terraform can update the
|
|
134
|
-
# lockfile
|
|
218
|
+
# NOTE: Modules need to be installed before terraform can update the lockfile
|
|
135
219
|
@retrying_lock = true
|
|
136
220
|
run_terraform_init
|
|
137
221
|
retry
|
|
@@ -178,6 +262,14 @@ module Dependabot
|
|
|
178
262
|
raise "No Terraform configuration file!"
|
|
179
263
|
end
|
|
180
264
|
|
|
265
|
+
def hashes_object_regex
|
|
266
|
+
/hashes\s*=\s*.*\]/m
|
|
267
|
+
end
|
|
268
|
+
|
|
269
|
+
def hashes_string_regex
|
|
270
|
+
/(?<=\").*(?=\")/
|
|
271
|
+
end
|
|
272
|
+
|
|
181
273
|
def provider_declaration_regex
|
|
182
274
|
name = Regexp.escape(dependency.name)
|
|
183
275
|
%r{
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: dependabot-terraform
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.182.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Dependabot
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2022-04-
|
|
11
|
+
date: 2022-04-20 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: dependabot-common
|
|
@@ -16,14 +16,14 @@ dependencies:
|
|
|
16
16
|
requirements:
|
|
17
17
|
- - '='
|
|
18
18
|
- !ruby/object:Gem::Version
|
|
19
|
-
version: 0.
|
|
19
|
+
version: 0.182.0
|
|
20
20
|
type: :runtime
|
|
21
21
|
prerelease: false
|
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
|
23
23
|
requirements:
|
|
24
24
|
- - '='
|
|
25
25
|
- !ruby/object:Gem::Version
|
|
26
|
-
version: 0.
|
|
26
|
+
version: 0.182.0
|
|
27
27
|
- !ruby/object:Gem::Dependency
|
|
28
28
|
name: debase
|
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|