Skip to content

fix: validate replace_triggered_by attribute references #38010

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
SarahFrench merged 2 commits into from
Dec 17, 2025
Merged

fix: validate replace_triggered_by attribute references #38010

SarahFrench merged 2 commits into from
Dec 17, 2025
+85 −0

Conversation

@vietcgi
Copy link
Contributor

@vietcgi vietcgi commented Dec 13, 2025

Summary

  • replace_triggered_by now reports an error when given an invalid attribute reference that does not exist in the target resource

Test plan

  • Added unit test TestContext2Plan_triggeredByInvalidAttribute
  • Existing replace_triggered_by tests pass
  • Manual testing with null_resource confirms invalid references now produce errors
  • Valid attribute references continue to work correctly

Fixes #36740

@vietcgi vietcgi requested a review from a team as a code owner December 13, 2025 12:21
@crw crw added the bug label Dec 15, 2025
SarahFrench
SarahFrench reviewed Dec 16, 2025
View reviewed changes
Copy link
Member

@SarahFrench SarahFrench left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @vietcgi , thanks for your contribution!

I've left some minor comments on the changes in this PR, broadly it looks good but I have a small question around the nil/null checks.

In triage we discussed the original issue you're addressing and thought that ideally the solution would have two parts. Your proposed changes are the first part, by helping users identify when a bad reference is used during planning. Ideally users would also be able to use terraform validate to detect when their configuration has a bad reference in replace_triggered_by. This would let people identify when the defect first enters their configuration, instead of only identifying it when it first impacts a plan action. Would you be interested in implementing that second part in this PR, or separately? No worries if not, in that case I'd open a new issue for someone else to pick up.

jbardin
jbardin requested changes Dec 16, 2025
View reviewed changes
Copy link
Member

@jbardin jbardin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @vietcgi,

Terraform needs to always account for resources which may contain dynamically typed values. The change proposed here would fail if those dynamically typed values were to change from one plan to the next. We can't exclude the replace_triggered_by references from traversing into dynamic types, because it's already been designed to do so. This means if we are going to have any more detailed diagnostics, those diagnostics will need to be derived from the target resource schema alone, and not rely on the current value type

@vietcgi vietcgi force-pushed the fix-replace-triggered-by-validation branch from 7067bfe to d68e029 Compare December 17, 2025 01:59
@vietcgi
Copy link
Contributor Author

vietcgi commented Dec 17, 2025

Hi @jbardin,

Thanks for the feedback. You're righ. I've updated the implementation to use schema-based validation instead of value-based validation. The fix now uses StaticValidateTraversal to validate the attribute reference against the target resource's schema, which properly handles dynamically-typed attributes. This way we only error on truly invalid references that don't exist in the schema, rather than relying on the current value type which could change between plans.

jbardin
jbardin reviewed Dec 17, 2025
View reviewed changes
@vietcgi
Copy link
Contributor Author

vietcgi commented Dec 17, 2025

Thanks @jbardin, good catch! Updated to use change.ProviderAddr directly. Much cleaner and handles cross-module provider configs correctly.

jbardin
jbardin approved these changes Dec 17, 2025
View reviewed changes
Copy link
Member

@jbardin jbardin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@SarahFrench SarahFrench added the 1.14-backport If you add this label to a PR before merging, backport-assistant will open a new PR once merged label Dec 17, 2025
@github-actions

This comment was marked as resolved.

Sign in to view
@SarahFrench SarahFrench merged commit c36c814 into hashicorp:main Dec 17, 2025
12 of 13 checks passed
@github-actions github-actions bot mentioned this pull request Dec 17, 2025
Closed
4 tasks
@SarahFrench SarahFrench mentioned this pull request Dec 17, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@SarahFrench SarahFrench SarahFrench left review comments

@jbardin jbardin jbardin approved these changes

Assignees

No one assigned

Labels

1.14-backport If you add this label to a PR before merging, backport-assistant will open a new PR once merged bug

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

replace_triggered_by doesn't report error if given attribute references don't exist

4 participants

@vietcgi @jbardin @SarahFrench @crw