workspace_remote: Suppress issues in Terraform v1.1+ (#156)

wata727 · web-flow · commit 6ace801230e8 · 2024-02-17T17:01:29.000+09:00
diff --git a/docs/rules/terraform_workspace_remote.md b/docs/rules/terraform_workspace_remote.md
@@ -1,6 +1,6 @@
 # terraform_workspace_remote
 
-`terraform.workspace` should not be used with a "remote" backend with remote execution. 
+`terraform.workspace` should not be used with a "remote" backend with remote execution in Terraform v1.0.x.
 
 If remote operations are [disabled](https://www.terraform.io/docs/cloud/run/index.html#disabling-remote-operations) for your workspace, you can safely disable this rule:
 
@@ -10,12 +10,15 @@ rule "terraform_workspace_remote" {
 }
 ```
 
+This rule looks at `required_version` for Terraform version estimation. If the `required_version` is not declared, it is assumed that you are using a more recent version.
+
 > This rule is enabled by "recommended" preset.
 
 ## Example
 
 ```hcl
 terraform {
+  required_version = ">= 1.0"
   backend "remote" {
     # ...
   }
@@ -35,24 +38,24 @@ $ tflint
 Warning: terraform.workspace should not be used with a 'remote' backend (terraform_workspace_remote)
 
   on example.tf line 8:
-   8:   tags = {
-   9:     workspace = terraform.workspace
-  10:   }
+   9:   tags = {
+  10:     workspace = terraform.workspace
+  11:   }
 
-Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.1.0/docs/rules/terraform_workspace_remote.md
+Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_workspace_remote.md
 ```
 
 ## Why
 
-Terraform configuration may include the name of the [current workspace](https://www.terraform.io/docs/state/workspaces.html#current-workspace-interpolation) using the `${terraform.workspace}` interpolation sequence. However, when Terraform Cloud workspaces are executing Terraform runs remotely, the Terraform CLI always uses the `default` workspace.
+Terraform configuration may include the name of the [current workspace](https://developer.hashicorp.com/terraform/language/state/workspaces#current-workspace-interpolation) using the `${terraform.workspace}` interpolation sequence. However, when Terraform Cloud workspaces are executing Terraform runs remotely, the Terraform v1.0.x always uses the `default` workspace.
 
-The [remote](https://www.terraform.io/docs/backends/types/remote.html) backend is used with Terraform Cloud workspaces. Even if you set a `prefix` in the `workspaces` block, this value will be ignored during remote runs.
+The [remote](https://developer.hashicorp.com/terraform/language/settings/backends/remote) backend is used with Terraform Cloud workspaces. Even if you set a `prefix` in the `workspaces` block, this value will be ignored during remote runs.
 
-For more information, see the [`remote` backend workspaces documentation](https://www.terraform.io/docs/backends/types/remote.html#workspaces).
+For more information, see the [`remote` backend workspaces documentation](https://developer.hashicorp.com/terraform/language/settings/backends/remote#workspace-names).
 
 ## How To Fix
 
-Consider adding a variable to your configuration and setting it in each cloud workspace:
+If you still need support for Terarform v1.0.x, consider adding a variable to your configuration and setting it in each cloud workspace:
 
 ```tf
 variable "workspace" {
@@ -62,3 +65,5 @@ variable "workspace" {
 ```
 
 You can also name the variable based on what the workspace suffix represents in your configuration (e.g. environment).
+
+If you don't need support for Terraform v1.0.x, you can suppress the issue by updating the `required_version` to not contain 1.0.x.
diff --git a/rules/terraform_workspace_remote.go b/rules/terraform_workspace_remote.go
@@ -1,6 +1,7 @@
 package rules
 
 import (
+	"github.com/hashicorp/go-version"
 	"github.com/hashicorp/hcl/v2"
 	"github.com/hashicorp/hcl/v2/hclsyntax"
 	"github.com/hashicorp/hcl/v2/json"
@@ -41,6 +42,22 @@ func (r *TerraformWorkspaceRemoteRule) Link() string {
 	return project.ReferenceLink(r.Name())
 }
 
+// @see https://releases.hashicorp.com/terraform/
+var tf10Versions = []*version.Version{
+	version.Must(version.NewVersion("1.0.0")),
+	version.Must(version.NewVersion("1.0.1")),
+	version.Must(version.NewVersion("1.0.2")),
+	version.Must(version.NewVersion("1.0.3")),
+	version.Must(version.NewVersion("1.0.4")),
+	version.Must(version.NewVersion("1.0.5")),
+	version.Must(version.NewVersion("1.0.6")),
+	version.Must(version.NewVersion("1.0.7")),
+	version.Must(version.NewVersion("1.0.8")),
+	version.Must(version.NewVersion("1.0.9")),
+	version.Must(version.NewVersion("1.0.10")),
+	version.Must(version.NewVersion("1.0.11")),
+}
+
 // Check checks for a "remote" backend and if found emits issues for
 // each use of terraform.workspace in an expression.
 func (r *TerraformWorkspaceRemoteRule) Check(runner tflint.Runner) error {
@@ -58,6 +75,9 @@ func (r *TerraformWorkspaceRemoteRule) Check(runner tflint.Runner) error {
 			{
 				Type: "terraform",
 				Body: &hclext.BodySchema{
+					Attributes: []hclext.AttributeSchema{
+						{Name: "required_version"},
+					},
 					Blocks: []hclext.BlockSchema{
 						{
 							Type:       "backend",
@@ -74,14 +94,34 @@ func (r *TerraformWorkspaceRemoteRule) Check(runner tflint.Runner) error {
 	}
 
 	var remoteBackend bool
+	var tf10Support bool
 	for _, terraform := range body.Blocks {
+		for _, requiredVersion := range terraform.Body.Attributes {
+			err := runner.EvaluateExpr(requiredVersion.Expr, func(v string) error {
+				constraints, err := version.NewConstraint(v)
+				if err != nil {
+					return err
+				}
+
+				for _, tf10Version := range tf10Versions {
+					if constraints.Check(tf10Version) {
+						tf10Support = true
+					}
+				}
+				return nil
+			}, nil)
+			if err != nil {
+				return err
+			}
+		}
+
 		for _, backend := range terraform.Body.Blocks {
 			if backend.Labels[0] == "remote" {
 				remoteBackend = true
 			}
 		}
 	}
-	if !remoteBackend {
+	if !remoteBackend || !tf10Support {
 		return nil
 	}
 
diff --git a/rules/terraform_workspace_remote_test.go b/rules/terraform_workspace_remote_test.go
@@ -18,6 +18,7 @@ func Test_TerraformWorkspaceRemoteRule(t *testing.T) {
 			Name: "terraform.workspace in resource with remote backend",
 			Content: `
 terraform {
+	required_version = ">= 1.0"
 	backend "remote" {}
 }
 resource "null_resource" "a" {
@@ -31,15 +32,18 @@ resource "null_resource" "a" {
 					Message: "terraform.workspace should not be used with a 'remote' backend",
 					Range: hcl.Range{
 						Filename: "config.tf",
-						Start:    hcl.Pos{Line: 7, Column: 7},
-						End:      hcl.Pos{Line: 7, Column: 26},
+						Start:    hcl.Pos{Line: 8, Column: 7},
+						End:      hcl.Pos{Line: 8, Column: 26},
 					},
 				},
 			},
 		},
 		{
 			Name: "terraform.workspace with no backend",
 			Content: `
+terraform {
+	required_version = ">= 1.0"
+}
 resource "null_resource" "a" {
 	triggers = {
 		w = terraform.workspace
@@ -51,8 +55,46 @@ resource "null_resource" "a" {
 			Name: "terraform.workspace with non-remote backend",
 			Content: `
 terraform {
+	required_version = ">= 1.0"
 	backend "local" {}
 }
+resource "null_resource" "a" {
+	triggers = {
+		w = terraform.workspace
+	}
+}`,
+			Expected: helper.Issues{},
+		},
+		{
+			Name: "terraform.workspace with remote backend, but required_version does not support 1.0.x",
+			Content: `
+terraform {
+	required_version = ">= 1.1"
+	backend "remote" {}
+}
+resource "null_resource" "a" {
+	triggers = {
+		w = terraform.workspace
+	}
+}`,
+			Expected: helper.Issues{},
+		},
+		{
+			Name: "terraform.workspace with remote backend, but required_version is not declared",
+			Content: `
+terraform {
+	backend "remote" {}
+}
+resource "null_resource" "a" {
+	triggers = {
+		w = terraform.workspace
+	}
+}`,
+			Expected: helper.Issues{},
+		},
+		{
+			Name: "terraform.workspace without terraform setting",
+			Content: `
 resource "null_resource" "a" {
 	triggers = {
 		w = terraform.workspace
@@ -64,6 +106,7 @@ resource "null_resource" "a" {
 			Name: "terraform.workspace in data source with remote backend",
 			Content: `
 terraform {
+	required_version = ">= 1.0"
 	backend "remote" {}
 }
 data "null_data_source" "a" {
@@ -77,8 +120,8 @@ data "null_data_source" "a" {
 					Message: "terraform.workspace should not be used with a 'remote' backend",
 					Range: hcl.Range{
 						Filename: "config.tf",
-						Start:    hcl.Pos{Line: 7, Column: 7},
-						End:      hcl.Pos{Line: 7, Column: 26},
+						Start:    hcl.Pos{Line: 8, Column: 7},
+						End:      hcl.Pos{Line: 8, Column: 26},
 					},
 				},
 			},
@@ -87,6 +130,7 @@ data "null_data_source" "a" {
 			Name: "terraform.workspace in module call with remote backend",
 			Content: `
 terraform {
+	required_version = ">= 1.0"
 	backend "remote" {}
 }
 module "a" {
@@ -99,8 +143,8 @@ module "a" {
 					Message: "terraform.workspace should not be used with a 'remote' backend",
 					Range: hcl.Range{
 						Filename: "config.tf",
-						Start:    hcl.Pos{Line: 7, Column: 6},
-						End:      hcl.Pos{Line: 7, Column: 25},
+						Start:    hcl.Pos{Line: 8, Column: 6},
+						End:      hcl.Pos{Line: 8, Column: 25},
 					},
 				},
 			},
@@ -109,6 +153,7 @@ module "a" {
 			Name: "terraform.workspace in provider config with remote backend",
 			Content: `
 terraform {
+	required_version = ">= 1.0"
 	backend "remote" {}
 }
 provider "aws" {
@@ -122,8 +167,8 @@ provider "aws" {
 					Message: "terraform.workspace should not be used with a 'remote' backend",
 					Range: hcl.Range{
 						Filename: "config.tf",
-						Start:    hcl.Pos{Line: 7, Column: 14},
-						End:      hcl.Pos{Line: 7, Column: 33},
+						Start:    hcl.Pos{Line: 8, Column: 14},
+						End:      hcl.Pos{Line: 8, Column: 33},
 					},
 				},
 			},
@@ -132,6 +177,7 @@ provider "aws" {
 			Name: "terraform.workspace in locals with remote backend",
 			Content: `
 terraform {
+	required_version = ">= 1.0"
 	backend "remote" {}
 }
 locals {
@@ -143,8 +189,8 @@ locals {
 					Message: "terraform.workspace should not be used with a 'remote' backend",
 					Range: hcl.Range{
 						Filename: "config.tf",
-						Start:    hcl.Pos{Line: 6, Column: 6},
-						End:      hcl.Pos{Line: 6, Column: 25},
+						Start:    hcl.Pos{Line: 7, Column: 6},
+						End:      hcl.Pos{Line: 7, Column: 25},
 					},
 				},
 			},
@@ -153,6 +199,7 @@ locals {
 			Name: "terraform.workspace in output with remote backend",
 			Content: `
 terraform {
+	required_version = ">= 1.0"
 	backend "remote" {}
 }
 output "o" {
@@ -164,8 +211,8 @@ output "o" {
 					Message: "terraform.workspace should not be used with a 'remote' backend",
 					Range: hcl.Range{
 						Filename: "config.tf",
-						Start:    hcl.Pos{Line: 6, Column: 10},
-						End:      hcl.Pos{Line: 6, Column: 29},
+						Start:    hcl.Pos{Line: 7, Column: 10},
+						End:      hcl.Pos{Line: 7, Column: 29},
 					},
 				},
 			},
@@ -174,6 +221,7 @@ output "o" {
 			Name: "nonmatching expressions with remote backend",
 			Content: `
 terraform {
+	required_version = ">= 1.0"
 	backend "remote" {}
 }
 locals {
@@ -186,6 +234,7 @@ locals {
 			Name: "meta-arguments",
 			Content: `
 terraform {
+	required_version = ">= 1.0"
 	backend "remote" {}
 }
 resource "aws_instance" "foo" {
@@ -206,6 +255,7 @@ resource "aws_instance" "foo" {
 			Content: `
 {
   "terraform": {
+	"required_version": ">= 1.0",
     "backend": {
       "remote": {}
 	}
@@ -226,8 +276,8 @@ resource "aws_instance" "foo" {
 					Message: "terraform.workspace should not be used with a 'remote' backend",
 					Range: hcl.Range{
 						Filename: "config.tf.json",
-						Start:    hcl.Pos{Line: 8, Column: 15},
-						End:      hcl.Pos{Line: 16, Column: 4},
+						Start:    hcl.Pos{Line: 9, Column: 15},
+						End:      hcl.Pos{Line: 17, Column: 4},
 					},
 				},
 			},
@@ -236,6 +286,7 @@ resource "aws_instance" "foo" {
 			Name: "with ignore_changes",
 			Content: `
 terraform {
+  required_version = ">= 1.0"
   backend "remote" {}
 }
 resource "kubernetes_secret" "my_secret" {
