search

hashicorp / terraform

Terraform enables you to safely and predictably create, change, and improve infrastructure. It is a source-available tool that codifies APIs into declarative configuration files that can be shared amongst team members, treated as code, edited, reviewed, and versioned.
https://www.terraform.io
Other
42.81k stars 9.57k forks source link

Weeder for Terraform: tooling to find and remove unused Terraform code #35882

Open ketzacoatl opened 1 month ago

ketzacoatl commented 1 month ago

Terraform Version

> terraform-1.10.0-alpha-rc-2024-10-09 --version
Terraform v1.10.0-alpha20241009
on linux_amd64

I don't see a command that would relate to this feature/capability.

> terraform-1.10.0-alpha-rc-2024-10-09 --help
...

Main commands:
  init          Prepare your working directory for other commands
  validate      Check whether the configuration is valid
  plan          Show changes required by the current configuration
  apply         Create or update infrastructure
  destroy       Destroy previously-created infrastructure

All other commands:
  cloud         Manage HCP Terraform settings and metadata
  console       Try Terraform expressions at an interactive command prompt
  fmt           Reformat your configuration in the standard style
  force-unlock  Release a stuck lock on the current workspace
  get           Install or upgrade remote Terraform modules
  graph         Generate a Graphviz graph of the steps in an operation
  import        Associate existing infrastructure with a Terraform resource
  login         Obtain and save credentials for a remote host
  logout        Remove locally-stored credentials for a remote host
  metadata      Metadata related commands
  output        Show output values from your root module
  providers     Show the providers required for this configuration
  refresh       Update the state to match remote systems
  show          Show the current state or a saved plan
  state         Advanced state management
  taint         Mark a resource instance as not fully functional
  test          Execute integration tests for Terraform modules
  untaint       Remove the 'tainted' state from a resource instance
  version       Show the current Terraform version
  workspace     Workspace management

Global options (use these before the subcommand, if any):
  -chdir=DIR    Switch to a different working directory before executing the
                given subcommand.
  -help         Show this help output, or the help for a specified subcommand.
  -version      An alias for the "version" subcommand.

Use Cases

As your Terraform codebase grows, it gets increasingly difficult to find and identify unused Terraform code. This can come in the form of unused local values, variables, outputs, and modules. There is also a difference between "this is an optional variable" and "this variable is defined but not even used". Local values are also easy to locate when defined but left unused. Unused modules are a little more difficult to find, but it's still sometimes relevant. Outputs are a bit more vague, but it might be nice to have an option to find and print outputs that aren't being used / consumed in a codebase.

Attempted Solutions

I do this manually with code review, git grep, and my IDE.

Proposal

Terraform could provide warnings during regular plan/etc operations when it finds unused code, similar to when Terraform finds references to values that are undeclared. There could also, or alternatively, be a command similar to fmt which traverses a module/project or group of modules/projects to find unused code.

References

The inspiration for this comes from the general idea of "removing dead code", as well as specific tools such as "weeder" for Haskell:

Weeder is an application to perform whole-program dead-code analysis. Dead code is code that is written, but never reachable from any other code. Over the lifetime of a project, this happens as code is added and removed, and leftover code is never cleaned up. While GHC has warnings to detect dead code is a single module, these warnings don't extend across module boundaries - this is where Weeder comes in. Weeder uses HIE files produced by GHC - these files can be thought of as source code that has been enhanced by GHC, adding full symbol resolution and type information. Weeder builds a dependency graph from these files to understand how code interacts. Once all analysis is done, Weeder performs a traversal of this graph from a set of roots (e.g., your main function), and determines which code is reachable and which code is dead.

crw commented 1 week ago

Thanks for this feature request! If you are viewing this issue and would like to indicate your interest, please use the 👍 reaction on the issue description to upvote this issue. We also welcome additional use case descriptions. Thanks again!