Update terraform validate to identify when replace_triggered_by references an attribute that's not in a resource's schema #38017
Description
Terraform Version
Terraform v1.15.0-dev
on darwin_arm64Use Cases
Users that habitually check the validity of their config using terraform validate should be able to detect when a replace_triggered_by attribute references an attribute that doesn't exist in that reference's schema. Updating the validate command would allow errors like this to be fixed before they cause disruption to a plan-apply workflow.
Attempted Solutions
There isn't really a work around for this FR other than proceeding with plan-apply workflows and waiting for an error to occur, following the new error detection in the PR mentioned above.
Proposal
This FR follows #36740. That issue, and the PR that closed it, allow users to detect this issue when creating a plan (either in plan or apply). This means users would only realise that there is a defect in their configuration when that defect would impact a plan, not when it first enters the configuration. Also, the logic detecting bad replace_triggered_by references during plan would only be triggered if the resource referenced via replace_triggered_by is changed in a plan, so it's possible for a defect to be undetected until several plan-apply cycles have passed.
I propose that the terraform validate command should be updated to perform similar validation as in the PR that closed the issue above. This would allow users that habitually check the validity of their config to detect the defect early.
References
- replace_triggered_by doesn't report error if given attribute references don't exist #36740
- fix: validate replace_triggered_by attribute references #38010
Implementation wise, I believe this the code for validation would be in:
The validate command constructs a graph and walks the 'validatable nodes' within that graph. That logic above is used when validating resources.