detect deprecation marks in more places

Author: DanielMSchmidt

internal/terraform/eval_for_each.go

@@ -90,6 +90,7 @@ func (ev *forEachEvaluator) ResourceValue() (map[string]cty.Value, bool, tfdiags
 		return res, false, diags
 	}
 
+	forEachVal = marks.RemoveDeprecationMarks(forEachVal)
 	if forEachVal.IsNull() || !forEachVal.IsKnown() || markSafeLengthInt(forEachVal) == 0 {
 		// we check length, because an empty set returns a nil map which will panic below
 		return res, true, diags

internal/terraform/node_action_instance.go

@@ -71,7 +71,10 @@ func (n *NodeActionDeclarationInstance) Execute(ctx EvalContext, _ walkOperation
 		valDiags := validateResourceForbiddenEphemeralValues(ctx, configVal, n.Schema.ConfigSchema)
 		diags = diags.Append(valDiags.InConfigBody(n.Config.Config, n.Addr.String()))
 
-		if valDiags.HasErrors() {
+		deprecationDiags := ctx.Deprecations().ValidateAsConfig(configVal, n.ModulePath())
+		diags = diags.Append(deprecationDiags.InConfigBody(n.Config.Config, n.Addr.String()))
+
+		if diags.HasErrors() {
 			return diags
 		}
 	}

internal/terraform/node_action_partialexp.go

@@ -68,6 +68,12 @@ func (n *NodeActionDeclarationPartialExpanded) Execute(ctx EvalContext, op walkO
 		if diags.HasErrors() {
 			return diags
 		}
+
+		deprecationDiags := ctx.Deprecations().ValidateAsConfig(configVal, n.ActionAddr().Module)
+		diags = diags.Append(deprecationDiags)
+		if diags.HasErrors() {
+			return diags
+		}
 	}
 	ctx.Actions().AddPartialExpandedAction(n.addr, configVal, n.resolvedProvider)
 	return nil

internal/terraform/node_action_validate.go

@@ -107,6 +107,10 @@ func (n *NodeValidatableAction) Execute(ctx EvalContext, _ walkOperation) tfdiag
 	valDiags = validateResourceForbiddenEphemeralValues(ctx, configVal, schema.ConfigSchema)
 	diags = diags.Append(valDiags.InConfigBody(config, n.Addr.String()))
 
+	if diags.HasErrors() {
+		return diags
+	}
+
 	// Use unmarked value for validate request
 	unmarkedConfigVal, _ := configVal.UnmarkDeep()
 	log.Printf("[TRACE] Validating config for %q", n.Addr)

internal/terraform/node_local.go

@@ -237,5 +237,10 @@ func evaluateLocalValue(config *configs.Local, localAddr addrs.LocalValue, addrS
 	if val == cty.NilVal {
 		val = cty.DynamicVal
 	}
+
+	var deprecationDiags tfdiags.Diagnostics
+	val, deprecationDiags = ctx.Deprecations().Validate(val, ctx.Path().Module(), expr.Range().Ptr())
+	diags = diags.Append(deprecationDiags)
+
 	return val, diags
 }

internal/terraform/node_local_test.go

@@ -59,8 +59,11 @@ func TestNodeLocalExecute(t *testing.T) {
 
 				EvaluateExprResult: test.Want,
 			}
+			scopedCtx := ctx.withScope(evalContextModuleInstance{
+				Addr: addrs.RootModuleInstance,
+			})
 
-			err := n.Execute(ctx, walkApply)
+			err := n.Execute(scopedCtx, walkApply)
 			if (err != nil) != test.Err {
 				if err != nil {
 					t.Errorf("unexpected error: %s", err)

internal/terraform/node_provider.go

@@ -78,10 +78,16 @@ func (n *NodeApplyableProvider) ValidateProvider(ctx EvalContext, provider provi
 	}
 
 	configVal, _, evalDiags := ctx.EvaluateBlock(configBody, configSchema, nil, EvalDataForNoInstanceKey)
-	if evalDiags.HasErrors() {
-		return diags.Append(evalDiags)
-	}
 	diags = diags.Append(evalDiags)
+	if diags.HasErrors() {
+		return diags
+	}
+
+	deprecationDiags := ctx.Deprecations().ValidateAsConfig(configVal, n.Addr.Module)
+	diags = diags.Append(deprecationDiags.InConfigBody(configBody, n.Addr.String()))
+	if diags.HasErrors() {
+		return diags
+	}
 
 	// If our config value contains any marked values, ensure those are
 	// stripped out before sending this to the provider

internal/terraform/node_resource_abstract_instance.go

@@ -1772,6 +1772,10 @@ func (n *NodeAbstractResourceInstance) providerMetas(ctx EvalContext) (cty.Value
 				var configDiags tfdiags.Diagnostics
 				metaConfigVal, _, configDiags = ctx.EvaluateBlock(m.Config, providerSchema.ProviderMeta.Body, nil, EvalDataForNoInstanceKey)
 				diags = diags.Append(configDiags)
+				diags = diags.Append(
+					ctx.Deprecations().ValidateAsConfig(metaConfigVal, ctx.Path().Module()).InConfigBody(m.Config, n.Addr.String()),
+				)
+				metaConfigVal = marks.RemoveDeprecationMarks(metaConfigVal)
 			}
 		}
 	}
@@ -1848,6 +1852,10 @@ func (n *NodeAbstractResourceInstance) planDataSource(ctx EvalContext, checkRule
 	diags = diags.Append(
 		validateResourceForbiddenEphemeralValues(ctx, configVal, schema.Body).InConfigBody(n.Config.Config, n.Addr.String()),
 	)
+	diags = diags.Append(
+		ctx.Deprecations().ValidateAsConfig(configVal, ctx.Path().Module()).InConfigBody(n.Config.Config, n.Addr.String()),
+	)
+	configVal = marks.RemoveDeprecationMarks(configVal)
 	if diags.HasErrors() {
 		return nil, nil, deferred, keyData, diags
 	}
@@ -2185,6 +2193,14 @@ func (n *NodeAbstractResourceInstance) applyDataSource(ctx EvalContext, planned
 		return nil, keyData, diags
 	}
 
+	diags = diags.Append(
+		ctx.Deprecations().ValidateAsConfig(configVal, n.ModulePath()).InConfigBody(n.Config.Config, n.Addr.String()),
+	)
+	if diags.HasErrors() {
+		return nil, keyData, diags
+	}
+	configVal = marks.RemoveDeprecationMarks(configVal)
+
 	newVal, readDeferred, readDiags := n.readDataSource(ctx, configVal)
 	if check, nested := n.nestedInCheckBlock(); nested {
 		addr := check.Addr().Absolute(n.Addr.Module)
@@ -2496,6 +2512,8 @@ func (n *NodeAbstractResourceInstance) evalProvisionerConfig(ctx EvalContext, bo
 
 	config, _, configDiags := ctx.EvaluateBlock(body, schema, n.ResourceInstanceAddr().Resource, keyData)
 	diags = diags.Append(configDiags)
+	diags = diags.Append(ctx.Deprecations().ValidateAsConfig(config, n.ModulePath()).InConfigBody(body, n.Addr.String()))
+	config = marks.RemoveDeprecationMarks(config)
 
 	return config, diags
 }
@@ -2513,7 +2531,8 @@ func (n *NodeAbstractResourceInstance) evalDestroyProvisionerConfig(ctx EvalCont
 	evalScope := ctx.EvaluationScope(n.ResourceInstanceAddr().Resource, nil, keyData)
 	config, evalDiags := evalScope.EvalSelfBlock(body, self, schema, keyData)
 	diags = diags.Append(evalDiags)
-
+	diags = diags.Append(ctx.Deprecations().ValidateAsConfig(config, n.ModulePath()).InConfigBody(body, n.Addr.String()))
+	config = marks.RemoveDeprecationMarks(config)
 	return config, diags
 }
 

internal/terraform/node_resource_ephemeral.go

@@ -76,6 +76,11 @@ func ephemeralResourceOpen(ctx EvalContext, inp ephemeralResourceInput) (*provid
 	if diags.HasErrors() {
 		return nil, diags
 	}
+	diags = diags.Append(ctx.Deprecations().ValidateAsConfig(configVal, ctx.Path().Module()).InConfigBody(config.Config, inp.addr.String()))
+	if diags.HasErrors() {
+		return nil, diags
+	}
+
 	unmarkedConfigVal, configMarks := configVal.UnmarkDeepWithPaths()
 
 	if !unmarkedConfigVal.IsWhollyKnown() {

internal/terraform/node_resource_plan_instance.go

@@ -15,13 +15,15 @@ import (
 
 	"github.com/hashicorp/terraform/internal/addrs"
 	"github.com/hashicorp/terraform/internal/configs"
+	"github.com/hashicorp/terraform/internal/configs/configschema"
 	"github.com/hashicorp/terraform/internal/genconfig"
 	"github.com/hashicorp/terraform/internal/instances"
 	"github.com/hashicorp/terraform/internal/lang/ephemeral"
 	"github.com/hashicorp/terraform/internal/moduletest/mocking"
 	"github.com/hashicorp/terraform/internal/plans"
 	"github.com/hashicorp/terraform/internal/plans/deferring"
 	"github.com/hashicorp/terraform/internal/providers"
+	"github.com/hashicorp/terraform/internal/provisioners"
 	"github.com/hashicorp/terraform/internal/states"
 	"github.com/hashicorp/terraform/internal/tfdiags"
 )
@@ -347,6 +349,16 @@ func (n *NodePlannableResourceInstance) managedResourceExecute(ctx EvalContext)
 			repData.EachValue = cty.DynamicVal
 		}
 
+		// Even if we don't run the provisioners during plan we need to make sure they are valid
+		if n.Config != nil && n.Config.Managed != nil {
+			for _, p := range n.Config.Managed.Provisioners {
+				diags = diags.Append(n.validateProvisioner(ctx, p, n.Config.Managed.Connection, repData))
+				if diags.HasErrors() {
+					return diags
+				}
+			}
+		}
+
 		diags = diags.Append(n.replaceTriggered(ctx, repData))
 		if diags.HasErrors() {
 			return diags
@@ -638,6 +650,11 @@ func (n *NodePlannableResourceInstance) importState(ctx EvalContext, addr addrs.
 			diags = diags.Append(configDiags)
 			return nil, deferred, diags
 		}
+		diags = diags.Append(ctx.Deprecations().ValidateAsConfig(configVal, n.ModulePath()).InConfigBody(n.Config.Config, absAddr.String()))
+		if diags.HasErrors() {
+			return nil, deferred, diags
+		}
+
 		configVal, _ = configVal.UnmarkDeep()
 
 		// Let's pretend we're reading the value as a data source so we
@@ -1009,6 +1026,75 @@ func (n *NodePlannableResourceInstance) generateResourceConfig(ctx EvalContext,
 	return genconfig.ExtractLegacyConfigFromState(schema.Body, state), diags
 }
 
+func (n *NodePlannableResourceInstance) validateProvisioner(ctx EvalContext, p *configs.Provisioner, baseConn *configs.Connection, repData instances.RepetitionData) tfdiags.Diagnostics {
+	var diags tfdiags.Diagnostics
+	provisioner, err := ctx.Provisioner(p.Type)
+	if err != nil {
+		diags = diags.Append(err)
+		return diags
+	}
+
+	if provisioner == nil {
+		return diags.Append(fmt.Errorf("provisioner %s not initialized", p.Type))
+	}
+	provisionerSchema, err := ctx.ProvisionerSchema(p.Type)
+	if err != nil {
+		return diags.Append(fmt.Errorf("failed to read schema for provisioner %s: %s", p.Type, err))
+	}
+	if provisionerSchema == nil {
+		return diags.Append(fmt.Errorf("provisioner %s has no schema", p.Type))
+	}
+
+	// Validate the provisioner's own config first
+	configVal, _, configDiags := n.evaluateBlock(ctx, p.Config, provisionerSchema, repData)
+	diags = diags.Append(configDiags)
+
+	if configVal == cty.NilVal {
+		// Should never happen for a well-behaved EvaluateBlock implementation
+		return diags.Append(fmt.Errorf("EvaluateBlock returned nil value"))
+	}
+
+	// Use unmarked value for validate request
+	unmarkedConfigVal, _ := configVal.UnmarkDeep()
+	req := provisioners.ValidateProvisionerConfigRequest{
+		Config: unmarkedConfigVal,
+	}
+
+	resp := provisioner.ValidateProvisionerConfig(req)
+	diags = diags.Append(resp.Diagnostics)
+
+	if p.Connection != nil {
+		// We can't comprehensively validate the connection config since its
+		// final structure is decided by the communicator and we can't instantiate
+		// that until we have a complete instance state. However, we *can* catch
+		// configuration keys that are not valid for *any* communicator, catching
+		// typos early rather than waiting until we actually try to run one of
+		// the resource's provisioners.
+
+		cfg := p.Connection.Config
+		if baseConn != nil {
+			// Merge the local config into the base connection config, if we
+			// both specified.
+			cfg = configs.MergeBodies(baseConn.Config, cfg)
+		}
+
+		_, _, connDiags := n.evaluateBlock(ctx, cfg, connectionBlockSupersetSchema, repData)
+		diags = diags.Append(connDiags)
+	} else if baseConn != nil {
+		// Just validate the baseConn directly.
+		_, _, connDiags := n.evaluateBlock(ctx, baseConn.Config, connectionBlockSupersetSchema, repData)
+		diags = diags.Append(connDiags)
+
+	}
+	return diags
+}
+
+func (n *NodePlannableResourceInstance) evaluateBlock(ctx EvalContext, body hcl.Body, schema *configschema.Block, keyData instances.RepetitionData) (cty.Value, hcl.Body, tfdiags.Diagnostics) {
+	val, hclBody, diags := ctx.EvaluateBlock(body, schema, n.Addr.Resource, keyData)
+	diags = diags.Append(ctx.Deprecations().ValidateAsConfig(val, n.ModulePath()).InConfigBody(body, n.Addr.String()))
+	return val, hclBody, diags
+}
+
 // mergeDeps returns the union of 2 sets of dependencies
 func mergeDeps(a, b []addrs.ConfigResource) []addrs.ConfigResource {
 	switch {