dependabot-terraform 0.367.0 → 0.368.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 389933322316b6c2adf5622aa7609f6a963328f40a0b917c20599b0a8d119b9f
-  data.tar.gz: 28b9548394102c654c739c418f26687f546e527410cded37a6df51f628a930f9
+  metadata.gz: 70cf97fb42d98440944e843c09f2909b5206a0859715b170c17c94e355ade662
+  data.tar.gz: 6c8022c3e1a286992bbc83a1851c84ff293e29f6b5773d287e0498bc55b38150
 SHA512:
-  metadata.gz: 41ea4cf23c32b98ec673ddbbaa85de54e151aca4a9021c11f6b782a5d4f45c14707ccb9e3c9f37c686415b1aa894a6691970473d8eb95feda318bb63a3be4aac
-  data.tar.gz: 48067bf39c1f9e2d2e1aefd331f71894c226d89b3be6ecd7f13761b621e24cb488c0cb97ca77d6c82e5eccc6e1b9a33b1bc211cc32cf88353350e378fe575dd7
+  metadata.gz: 45336906f1e79f9fb1d27945e1a52e0e40e2a760128dfb5ca6fca7389dc05b87fe0121b005a598f391eeb2128b92fda4a3cd8c66ad1c15aead11a58fba8d3a65
+  data.tar.gz: 7c33db9982823d3ae2d92cf7b2f8ba03eca0e7505a7a5a02ef957b28b616bb2be7a73905a42879e0b0f3bea57a31c210d6520bb969bac1e615a675746a4d3feb

data/lib/dependabot/terraform/file_updater/provider_cli_config_builder.rb

@@ -0,0 +1,178 @@
+# typed: strict
+# frozen_string_literal: true
+
+require "sorbet-runtime"
+require "json"
+require "open3"
+require "securerandom"
+require "pathname"
+require "dependabot/shared_helpers"
+require "dependabot/terraform/file_updater"
+
+module Dependabot
+  module Terraform
+    class FileUpdater < Dependabot::FileUpdaters::Base
+      # Builds a Terraform CLI config that uses dev_overrides for non-target
+      # providers, preventing Terraform from resolving private/custom providers
+      # during lockfile updates.
+      class ProviderCliConfigBuilder
+        extend T::Sig
+
+        DEFAULT_REGISTRY = "registry.terraform.io"
+        DEFAULT_NAMESPACE = "hashicorp"
+
+        sig do
+          params(
+            dependency: Dependabot::Dependency,
+            terraform_files: T::Array[Dependabot::DependencyFile]
+          ).void
+        end
+        def initialize(dependency:, terraform_files:)
+          @dependency = dependency
+          @terraform_files = terraform_files
+          @terraform_cli_config_path = T.let(nil, T.nilable(String))
+          @dev_override_dir = T.let(nil, T.nilable(String))
+        end
+
+        sig { returns(T::Hash[String, String]) }
+        def env
+          sources = non_target_provider_sources
+          return {} if sources.empty?
+
+          config_path = generate_provider_dev_overrides_config(sources)
+          { "TF_CLI_CONFIG_FILE" => config_path }
+        end
+
+        sig { void }
+        def cleanup
+          if @terraform_cli_config_path
+            FileUtils.rm_f(@terraform_cli_config_path)
+            @terraform_cli_config_path = nil
+          end
+          return unless @dev_override_dir
+
+          FileUtils.rm_rf(@dev_override_dir)
+          @dev_override_dir = nil
+        end
+
+        private
+
+        sig { returns(Dependabot::Dependency) }
+        attr_reader :dependency
+
+        sig { returns(T::Array[Dependabot::DependencyFile]) }
+        attr_reader :terraform_files
+
+        sig { returns(T::Array[String]) }
+        def non_target_provider_sources
+          target = target_provider_source
+          return [] unless target
+
+          collect_provider_sources_from_files.reject { |s| s == target }
+        end
+
+        sig { returns(T.nilable(String)) }
+        def target_provider_source
+          req = dependency.requirements.first
+          return unless req
+
+          source = req[:source]
+          return unless source && source[:type] == "provider"
+
+          hostname = source[:registry_hostname] || DEFAULT_REGISTRY
+          identifier = source[:module_identifier]
+          return unless identifier
+
+          "#{hostname}/#{identifier}".downcase
+        end
+
+        sig { returns(T::Array[String]) }
+        def collect_provider_sources_from_files
+          sources = T.let([], T::Array[String])
+          terraform_files.each do |file|
+            parsed = parse_hcl_file(file)
+            parsed.fetch("terraform", []).each do |terraform_block|
+              terraform_block.fetch("required_providers", {}).each do |providers|
+                providers.each do |name, details|
+                  next unless details.is_a?(Hash)
+
+                  source_address = details.fetch("source", nil)
+                  sources << normalize_provider_source(source_address, name)
+                end
+              end
+            end
+          end
+          sources.uniq
+        end
+
+        sig { params(source_address: T.nilable(String), name: String).returns(String) }
+        def normalize_provider_source(source_address, name)
+          if source_address
+            parts = source_address.split("/")
+            if parts.length == 2
+              "#{DEFAULT_REGISTRY}/#{source_address}".downcase
+            else
+              source_address.downcase
+            end
+          else
+            "#{DEFAULT_REGISTRY}/#{DEFAULT_NAMESPACE}/#{name}".downcase
+          end
+        end
+
+        sig { params(file: Dependabot::DependencyFile).returns(T::Hash[String, T.untyped]) }
+        def parse_hcl_file(file)
+          return {} unless file.content
+
+          SharedHelpers.in_a_temporary_directory do
+            File.write("tmp.tf", file.content)
+            command = "#{terraform_hcl2_parser_path} < tmp.tf"
+            stdout, _stderr, process = Open3.capture3(command)
+            return {} unless process.success?
+
+            JSON.parse(stdout)
+          end
+        rescue StandardError
+          {}
+        end
+
+        sig { params(provider_sources: T::Array[String]).returns(String) }
+        def generate_provider_dev_overrides_config(provider_sources)
+          dev_override_dir = File.join(Dir.tmpdir, "dependabot-tf-dev-#{SecureRandom.hex(4)}")
+          FileUtils.mkdir_p(dev_override_dir)
+          @dev_override_dir = dev_override_dir
+
+          overrides = provider_sources.map do |source|
+            "    \"#{source}\" = \"#{dev_override_dir}\""
+          end.join("\n")
+
+          config_content = <<~CONFIG
+            provider_installation {
+              dev_overrides {
+            #{overrides}
+              }
+              direct {}
+            }
+          CONFIG
+
+          config_path = File.join(Dir.tmpdir, "dependabot-terraform-#{SecureRandom.hex(4)}.rc")
+          File.write(config_path, config_content)
+          @terraform_cli_config_path = config_path
+
+          config_path
+        end
+
+        sig { returns(String) }
+        def terraform_hcl2_parser_path
+          helper_bin_dir = File.join(native_helpers_root, "terraform/bin")
+          Pathname.new(File.join(helper_bin_dir, "hcl2json")).cleanpath.to_path
+        end
+
+        sig { returns(String) }
+        def native_helpers_root
+          default_path = File.join(__dir__, "../../../../helpers/install-dir")
+          ENV.fetch("DEPENDABOT_NATIVE_HELPERS_PATH", default_path)
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/terraform/file_updater.rb

@@ -14,6 +14,8 @@ module Dependabot
     class FileUpdater < Dependabot::FileUpdaters::Base
       extend T::Sig
 
+      require_relative "file_updater/provider_cli_config_builder"
+
       include FileSelector
 
       PRIVATE_MODULE_ERROR = /Could not download module.*code from\n.*\"(?<repo>\S+)\":/
@@ -46,6 +48,8 @@ module Dependabot
         raise "No files changed!" if updated_files.none?
 
         updated_files
+      ensure
+        cleanup_terraform_cli_config
       end
 
       private
@@ -215,7 +219,8 @@ module Dependabot
 
             SharedHelpers.run_shell_command(
               "terraform providers lock -platform=#{arch} #{provider_source} -no-color",
-              fingerprint: "terraform providers lock -platform=<arch> <provider_source> -no-color"
+              fingerprint: "terraform providers lock -platform=<arch> <provider_source> -no-color",
+              env: terraform_env
             )
 
             updated_lockfile = File.read(".terraform.lock.hcl")
@@ -282,7 +287,8 @@ module Dependabot
 
           SharedHelpers.run_shell_command(
             "terraform providers lock #{platforms} #{provider_source}",
-            fingerprint: "terraform providers lock <platforms> <provider_source>"
+            fingerprint: "terraform providers lock <platforms> <provider_source>",
+            env: terraform_env
           )
 
           updated_lockfile = File.read(".terraform.lock.hcl")
@@ -319,7 +325,10 @@ module Dependabot
           # -backend=false option used to ignore any backend configuration, as these won't be accessible
           # -input=false option used to immediately fail if it needs user input
           # -no-color option used to prevent any color characters being printed in the output
-          SharedHelpers.run_shell_command("terraform init -backend=false -input=false -no-color")
+          SharedHelpers.run_shell_command(
+            "terraform init -backend=false -input=false -no-color",
+            env: terraform_env
+          )
         rescue SharedHelpers::HelperSubprocessFailed => e
           output = e.message
 
@@ -428,6 +437,30 @@ module Dependabot
           (?:(?!^\}).)*}
         /mix
       end
+
+      sig { returns(T::Hash[String, String]) }
+      def terraform_env
+        @terraform_env ||= T.let(
+          provider_cli_config_builder.env,
+          T.nilable(T::Hash[String, String])
+        )
+      end
+
+      sig { void }
+      def cleanup_terraform_cli_config
+        provider_cli_config_builder.cleanup
+      end
+
+      sig { returns(ProviderCliConfigBuilder) }
+      def provider_cli_config_builder
+        @provider_cli_config_builder ||= T.let(
+          ProviderCliConfigBuilder.new(
+            dependency: dependency,
+            terraform_files: terraform_files
+          ),
+          T.nilable(ProviderCliConfigBuilder)
+        )
+      end
     end
 
     class FileUpdaterErrorHandler

data/lib/dependabot/terraform/registry_client.rb

@@ -227,8 +227,11 @@ module Dependabot
         return uri.to_s if uri.scheme == "https"
         raise error("Unsupported scheme provided") if uri.host && uri.scheme
 
-        uri.host = hostname
+        parsed_hostname = URI.parse("https://#{hostname}")
+        uri.host = parsed_hostname.host
         uri.scheme = "https"
+        # Only set port explicitly when it differs from the default HTTPS port
+        uri.port = parsed_hostname.port unless parsed_hostname.port == URI::HTTPS.default_port
         uri.to_s
       end
 

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-terraform
 version: !ruby/object:Gem::Version
-  version: 0.367.0
+  version: 0.368.0
 platform: ruby
 authors:
 - Dependabot
@@ -15,14 +15,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.367.0
+        version: 0.368.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.367.0
+        version: 0.368.0
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
@@ -248,6 +248,7 @@ files:
 - lib/dependabot/terraform/file_parser.rb
 - lib/dependabot/terraform/file_selector.rb
 - lib/dependabot/terraform/file_updater.rb
+- lib/dependabot/terraform/file_updater/provider_cli_config_builder.rb
 - lib/dependabot/terraform/metadata_finder.rb
 - lib/dependabot/terraform/package/package_details_fetcher.rb
 - lib/dependabot/terraform/package_manager.rb
@@ -262,7 +263,7 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.367.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.368.0
 rdoc_options: []
 require_paths:
 - lib