Merge pull request #184 from dflook/test-load

Try loading hcl files in another process

Author: dflook

.github/workflows/test-validate.yaml

@@ -100,3 +100,29 @@ jobs:
         with:
           path: tests/workflows/test-validate/workspace_eval_remote
           workspace: prod
+
+  validate_unterminated_string:
+    runs-on: ubuntu-latest
+    name: Validate with unterminated string
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+
+      - name: validate
+        uses: ./terraform-validate
+        with:
+          path: tests/workflows/test-validate/unterminated-string
+        id: validate
+        continue-on-error: true
+
+      - name: Check invalid
+        run: |
+          if [[ "${{ steps.validate.outcome }}" != "failure" ]]; then
+            echo "Validate did not fail correctly"
+            exit 1
+          fi
+
+          if [[ "${{ steps.validate.outputs.failure-reason }}" != "validate-failed" ]]; then
+            echo "::error:: failure-reason not set correctly"
+            exit 1
+          fi

image/src/terraform/hcl.py

@@ -0,0 +1,60 @@
+"""
+Wraps python-hcl
+"""
+
+import hcl2  # type: ignore
+import sys
+import subprocess
+from pathlib import Path
+
+from github_actions.debug import debug
+
+
+def try_load(path: Path) -> dict:
+    try:
+        with open(path) as f:
+            return hcl2.load(f)
+    except:
+        return {}
+
+
+def is_loadable(path: Path) -> bool:
+    try:
+        subprocess.run(
+            [sys.executable, '-m', 'terraform.hcl', path],
+            timeout=10
+        )
+    except subprocess.TimeoutExpired:
+        debug('TimeoutExpired')
+        # We found a file that won't parse :(
+        return False
+    except:
+        # If we get an exception, we can still try and load it.
+        return True
+
+    return True
+
+
+def load(path: Path) -> dict:
+    if is_loadable(path):
+        return try_load(path)
+
+    debug(f'Unable to load {path}')
+    raise ValueError(f'Unable to load {path}')
+
+
+def loads(hcl: str) -> dict:
+    tmp_path = Path('/tmp/load_test.hcl')
+
+    with open(tmp_path, 'w') as f:
+        f.write(hcl)
+
+    if is_loadable(tmp_path):
+        return hcl2.loads(hcl)
+
+    debug(f'Unable to load hcl')
+    raise ValueError(f'Unable to load hcl')
+
+
+if __name__ == '__main__':
+    try_load(Path(sys.argv[1]))

image/src/terraform/module.py

@@ -5,7 +5,7 @@
 import os
 from typing import Any, cast, NewType, Optional, TYPE_CHECKING, TypedDict
 
-import hcl2  # type: ignore
+import terraform.hcl
 
 from github_actions.debug import debug
 from terraform.versions import Constraint
@@ -66,22 +66,21 @@ def load_module(path: Path) -> TerraformModule:
         if not file.endswith('.tf'):
             continue
 
-        with open(os.path.join(path, file)) as f:
-            try:
-                module = merge(module, cast(TerraformModule, hcl2.load(f)))
-            except Exception as e:
-                # ignore tf files that don't parse
-                debug(f'Failed to parse {file}')
-                debug(str(e))
+        try:
+            tf_file = cast(TerraformModule, terraform.hcl.load(os.path.join(path, file)))
+            module = merge(module, tf_file)
+        except Exception as e:
+            # ignore tf files that don't parse
+            debug(f'Failed to parse {file}')
+            debug(str(e))
 
     return module
 
 
 def load_backend_config_file(path: Path) -> TerraformModule:
     """Load a backend config file."""
 
-    with open(path) as f:
-        return cast(TerraformModule, hcl2.load(f))
+    return cast(TerraformModule, terraform.hcl.load(path))
 
 
 def read_cli_config(config: str) -> dict[str, str]:
@@ -93,7 +92,7 @@ def read_cli_config(config: str) -> dict[str, str]:
 
     hosts = {}
 
-    config_hcl = hcl2.loads(config)
+    config_hcl = terraform.hcl.loads(config)
 
     for credential in config_hcl.get('credentials', {}):
         for cred_hostname, cred_conf in credential.items():

tests/workflows/test-validate/unterminated-string/main.tf

@@ -0,0 +1,10 @@
+module "enforce_mfa" {
+   source                          = "terraform-module/enforce-mfa/aws"
+   version                         = "0.13.0”
+   policy_name                     = "managed-mfa-enforce"
+   account_id                      = data.aws_caller_identity.current.id
+   groups                          = [aws_iam_group.console_group.name]
+   manage_own_signing_certificates = true
+   manage_own_ssh_public_keys      = true
+   manage_own_git_credentials      = true
+ }