Skip to content

provider_missing_default_tags: correctly handle unknown values #851

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Apr 8, 2025
Merged

provider_missing_default_tags: correctly handle unknown values #851

merged 4 commits into from
Apr 8, 2025

Conversation

bendrucker
Copy link
Member

Fixes a bug where provider_missing_default_tags does not correctly handle unknown tags. Adds the missing test coverage and then fixes the failing tests by correcting the control flow for unknown values.

Cases

Unknown

The incorrect flow:

if !known {
  return nil
}

Doing this inside the EvaluateExpr callback effectively ignores the value and leaves providerTags empty before checking for unset tags. Instead, unknown values need to short circuit the comparison. So I've returned an error, borrowing tflint.UnknownError.

Null

The multiple cases where errors are silently discarded was a red flag:

if err != nil {
  return nil
}

Now, all errors are returned except evaluation errors of the tags attribute. This could be due to an explicit unknown value error or it could be a null value. As in:

provider "aws" {
  default_tags {
    tags = {
      (var.tag): "bar"
    }
  }
}

variable "tag" {
  type = string
}

This is technically not valid configuration, as var.tag is null, and null is not a valid map key. We could just return this error and insist users pass a variable value to TFLint or set a default to make the configuration valid. I initially went that path.

But for the sake of backward compatibility, any error will short circuit checking (as before). But now, the warning log happens outside of the EvalauteExpr callback, for all errors, such that they are no longer wholly silent. If the rule is skipping a tag map because of a null key error, it will print that error in a warning.

Related

Closes #850

@bendrucker bendrucker requested a review from wata727 March 26, 2025 18:15
@bendrucker bendrucker mentioned this pull request Mar 26, 2025
Closed
wata727
wata727 reviewed Mar 28, 2025
View reviewed changes
rules/aws_provider_missing_default_tags.go
@@ -141,7 +140,8 @@ func (r *AwsProviderMissingDefaultTagsRule) Check(runner tflint.Runner) error {
}, nil)

if err != nil {
return nil
logger.Warn("Could not evaluate tags, skipping %s.%s.%s.%s: %s", provider.Labels[0], providerAlias, providerDefaultTagsBlockName, providerTagsAttributeName, err)
continue
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Considering that feedback may be lost in case of simple evaluation errors (e.g. undefined variables), would it be better to only short circuit in the tflint.ErrUnknownValue case?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, this is an option, that's what I did originally. Ignoring null variable values would be a separate case. What do you think about erroring there, versus trying to ignore it?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think unknown and null values should be ignored, but other errors should not be ignored. How about the following?

if errors.Is(err, tflint.ErrUnknownValue) {
	logger.Warn("Could not evaluate tags, skipping %s.%s.%s.%s: %s", provider.Labels[0], providerAlias, providerDefaultTagsBlockName, providerTagsAttributeName, err)
	continue
}

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In spirit I agree, but the null case comes in as a raw diagnostic and not a wrapped/simple error:

https://github.com/hashicorp/hcl/blob/b4e1e146a0c3b53f973064ae3fce7b69f5ef13a0/hclsyntax/expression.go#L1219-L1230

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oops, I missed that. As you say, if the key is null, it doesn't seem to reach getKeysForValue.
I misunderstood the following case:

tflint-ruleset-aws/rules/aws_resource_missing_tags.go

Lines 385 to 387 in 20dacdc

if value.IsNull() {
return keys, true
}

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah it's unclear if 100% of that function is actually covered by possible configuration. Particularly this null key case. I'll write some unit tests against it and see if there's dead code.

wata727
wata727 approved these changes Apr 7, 2025
View reviewed changes
Copy link
Member

@wata727 wata727 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@bendrucker bendrucker merged commit 5624739 into master Apr 8, 2025
9 checks passed
@bendrucker bendrucker deleted the provider-missing-default-tags-unknown branch April 8, 2025 00:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wata727 wata727 wata727 approved these changes

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

provider_missing_default_tags does not work with dynamic tags
2 participants
@bendrucker @wata727