Override files are not compliant with the Terraform spec

[wata727]

Summary

TFLint supports Terraform override files, but is not fully compliant with the spec.

• The order in which override files are processed is completely random, not lexicographical.
  • https://github.com/terraform-linters/tflint/blob/v0.53.0/terraform/module.go#L141
• Nested blocks are recursively merged rather than replaced.
  • https://github.com/terraform-linters/tflint/blob/v0.53.0/terraform/module.go#L155
• Different merge behavior for some blocks is not implemented.
  • https://github.com/terraform-linters/tflint/blob/v0.53.0/terraform/module.go#L156-L174

For these reasons, using override files can sometimes produce different results than Terraform would, or can lead to inconsistent results like those in https://github.com/terraform-linters/tflint-ruleset-terraform/issues/205.

Command

tflint

Terraform Configuration

# main.tf
terraform {}
provider "aws" {}

# main2.tf
terraform {
  required_providers {}
}

# main_override.tf
terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = ">= 5.64.0"
    }
  }
  required_version = "1.0.0"
}

TFLint Configuration

# empty file

Output

@wata727 ➜ /tmp/work $ tflint
@wata727 ➜ /tmp/work $ tflint
@wata727 ➜ /tmp/work $ tflint
1 issue(s) found:

Warning: Missing version constraint for provider "aws" in `required_providers` (terraform_required_providers)

  on main.tf line 3:
   3: provider "aws" {}

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

This inconsistent result is caused by which the terraform block is overwritten and which block is retrieved by the terraform_required_providers rule. If the block is retrieved that was not overwritten, this rule will emit an issue.

Ideally, the Terraform blocks in main.tf and main2.tf should be merged first.

TFLint Version

0.53.0

Terraform Version

No response

Operating System

• [X] Linux
• [X] macOS
• [X] Windows