feat(actions): extend action validation inside configs package (#37355)

* Add extended action validation during config parsing

- Verify that actions and linked_resources are in the current module
- Verify that given traversals reference the right types (action, resource)
- Add some validation tests

Author: mildwonkey

internal/configs/action.go

@@ -12,6 +12,24 @@ import (
 	"github.com/hashicorp/terraform/internal/addrs"
 )
 
+func invalidLinkedResourceDiag(subj *hcl.Range) *hcl.Diagnostic {
+	return &hcl.Diagnostic{
+		Severity: hcl.DiagError,
+		Summary:  `Invalid "linked_resource"`,
+		Detail:   `"linked_resource" must only refer to a managed resource in the current module.`,
+		Subject:  subj,
+	}
+}
+
+func invalidLinkedResourcesDiag(subj *hcl.Range) *hcl.Diagnostic {
+	return &hcl.Diagnostic{
+		Severity: hcl.DiagError,
+		Summary:  `Invalid "linked_resources"`,
+		Detail:   `"linked_resources" must only refer to managed resources in the current module.`,
+		Subject:  subj,
+	}
+}
+
 // Action represents an "action" block inside a configuration
 type Action struct {
 	Name    string
@@ -105,6 +123,7 @@ func decodeActionTriggerBlock(block *hcl.Block) (*ActionTrigger, hcl.Diagnostics
 					Detail:   "The \"event\" argument supports the following values: before_create, after_create, before_update, after_update, before_destroy, after_destroy.",
 					Subject:  expr.Range().Ptr(),
 				})
+				continue
 			}
 
 			if event == BeforeDestroy || event == AfterDestroy {
@@ -114,8 +133,8 @@ func decodeActionTriggerBlock(block *hcl.Block) (*ActionTrigger, hcl.Diagnostics
 					Detail:   "The destroy events (before_destroy, after_destroy) are not supported as of right now. They will be supported in a future release.",
 					Subject:  expr.Range().Ptr(),
 				})
+				continue
 			}
-
 			events = append(events, event)
 		}
 		a.Events = events
@@ -128,25 +147,29 @@ func decodeActionTriggerBlock(block *hcl.Block) (*ActionTrigger, hcl.Diagnostics
 		for _, expr := range exprs {
 			traversal, travDiags := hcl.AbsTraversalForExpr(expr)
 			diags = append(diags, travDiags...)
-			// verify that the traversal is an action
-			if traversal.RootName() != "action" {
-				diags = append(diags, &hcl.Diagnostic{
-					Severity: hcl.DiagError,
-					Summary:  "Invalid actions argument inside action_triggers",
-					Detail:   "action_triggers.actions accepts a list of one or more actions",
-					Subject:  block.DefRange.Ptr(),
-				})
-				continue
-			}
 
-			if len(traversal) != 0 {
-				actionRef := ActionRef{
-					Traversal: traversal,
-					Range:     expr.Range(),
+			if len(traversal) > 0 {
+				// verify that the traversal is an action
+				ref, refDiags := addrs.ParseRef(traversal)
+				diags = append(diags, refDiags.ToHCL()...)
+
+				switch ref.Subject.(type) {
+				case addrs.ActionInstance, addrs.Action:
+					actionRef := ActionRef{
+						Traversal: traversal,
+						Range:     expr.Range(),
+					}
+					actions = append(actions, actionRef)
+				default:
+					diags = append(diags, &hcl.Diagnostic{
+						Severity: hcl.DiagError,
+						Summary:  "Invalid actions argument inside action_triggers",
+						Detail:   "action_triggers.actions accepts a list of one or more actions, which must be in the current module.",
+						Subject:  expr.Range().Ptr(),
+					})
+					continue
 				}
-				actions = append(actions, actionRef)
 			}
-
 		}
 		a.Actions = actions
 	}
@@ -222,15 +245,33 @@ func decodeActionBlock(block *hcl.Block) (*Action, hcl.Diagnostics) {
 			diags = append(diags, &hcl.Diagnostic{
 				Severity: hcl.DiagError,
 				Summary:  `Invalid use of "linked_resource"`,
-				Detail:   `The "linked_resource" and "linked_resources" are mutually exclusive, only one should be used.`,
+				Detail:   `"linked_resource" and "linked_resources" are mutually exclusive, only one should be used.`,
 				Subject:  &attr.NameRange,
 			})
 		}
 
 		traversal, travDiags := hcl.AbsTraversalForExpr(attr.Expr)
 		diags = append(diags, travDiags...)
 		if len(traversal) != 0 {
-			a.LinkedResources = []hcl.Traversal{traversal}
+			ref, refDiags := addrs.ParseRef(traversal)
+			diags = append(diags, refDiags.ToHCL()...)
+
+			switch res := ref.Subject.(type) {
+			case addrs.Resource:
+				if res.Mode != addrs.ManagedResourceMode {
+					diags = append(diags, invalidLinkedResourceDiag(&attr.NameRange))
+				} else {
+					a.LinkedResources = []hcl.Traversal{traversal}
+				}
+			case addrs.ResourceInstance:
+				if res.Resource.Mode != addrs.ManagedResourceMode {
+					diags = append(diags, invalidLinkedResourceDiag(&attr.NameRange))
+				} else {
+					a.LinkedResources = []hcl.Traversal{traversal}
+				}
+			default:
+				diags = append(diags, invalidLinkedResourceDiag(&attr.NameRange))
+			}
 		}
 	}
 
@@ -239,22 +280,34 @@ func decodeActionBlock(block *hcl.Block) (*Action, hcl.Diagnostics) {
 			diags = append(diags, &hcl.Diagnostic{
 				Severity: hcl.DiagError,
 				Summary:  `Invalid use of "linked_resources"`,
-				Detail:   `The "linked_resource" and "linked_resources" are mutually exclusive, only one should be used.`,
+				Detail:   `"linked_resource" and "linked_resources" are mutually exclusive, only one should be used.`,
 				Subject:  &attr.NameRange,
 			})
 		}
 
-		exprs, diags := hcl.ExprList(attr.Expr)
-		lrs := make([]hcl.Traversal, len(exprs))
-
-		for i, expr := range exprs {
-			traversal, travDiags := hcl.AbsTraversalForExpr(expr)
-			diags = append(diags, travDiags...)
-			if len(traversal) != 0 {
-				lrs[i] = traversal
+		exprs, exprDiags := hcl.ExprList(attr.Expr)
+		diags = append(diags, exprDiags...)
+
+		if len(exprs) > 0 {
+			lrs := make([]hcl.Traversal, 0, len(exprs))
+			for _, expr := range exprs {
+				traversal, travDiags := hcl.AbsTraversalForExpr(expr)
+				diags = append(diags, travDiags...)
+
+				if len(traversal) != 0 {
+					ref, refDiags := addrs.ParseRef(traversal)
+					diags = append(diags, refDiags.ToHCL()...)
+
+					switch ref.Subject.(type) {
+					case addrs.Resource, addrs.ResourceInstance:
+						lrs = append(lrs, traversal)
+					default:
+						diags = append(diags, invalidLinkedResourcesDiag(&attr.NameRange))
+					}
+				}
 			}
+			a.LinkedResources = lrs
 		}
-		a.LinkedResources = lrs
 	}
 
 	for _, block := range content.Blocks {

internal/configs/action_test.go

@@ -8,18 +8,20 @@ import (
 
 	"github.com/hashicorp/hcl/v2"
 	"github.com/hashicorp/hcl/v2/hcltest"
+	"github.com/zclconf/go-cty/cty"
 )
 
 func TestDecodeActionBlock(t *testing.T) {
 	fooResourceExpr := hcltest.MockExprTraversalSrc("resource_type.foo")
 	barResourceExpr := hcltest.MockExprTraversalSrc("resource_type.bar")
-
 	fooAndBarExpr := hcltest.MockExprList([]hcl.Expression{fooResourceExpr, barResourceExpr})
+	moduleResourceExpr := hcltest.MockExprTraversalSrc("module.foo.resource_type.bar")
+	fooDataSourceExpr := hcltest.MockExprTraversalSrc("data.example.foo")
 
 	tests := map[string]struct {
 		input       *hcl.Block
 		want        *Action
-		expectDiags []hcl.Diagnostic
+		expectDiags []string
 	}{
 		"one linked resource": {
 			&hcl.Block{
@@ -67,16 +69,181 @@ func TestDecodeActionBlock(t *testing.T) {
 			},
 			nil,
 		},
+		"invalid linked resources (module ref)": { // for now! This test will change when we support cross-module actions
+			&hcl.Block{
+				Type:   "action",
+				Labels: []string{"an_action", "foo"},
+				Body: hcltest.MockBody(&hcl.BodyContent{
+					Attributes: hcl.Attributes{
+						"linked_resources": {
+							Name: "linked_resources",
+							Expr: hcltest.MockExprList([]hcl.Expression{moduleResourceExpr}),
+						},
+					},
+				}),
+				DefRange:    blockRange,
+				LabelRanges: []hcl.Range{{}},
+			},
+			&Action{
+				Type:            "an_action",
+				Name:            "foo",
+				LinkedResources: []hcl.Traversal{},
+				DeclRange:       blockRange,
+			},
+			[]string{`:0,0-0: Invalid "linked_resources"; "linked_resources" must only refer to managed resources in the current module.`},
+		},
+		"invalid linked resource (datasource ref)": {
+			&hcl.Block{
+				Type:   "action",
+				Labels: []string{"an_action", "foo"},
+				Body: hcltest.MockBody(&hcl.BodyContent{
+					Attributes: hcl.Attributes{
+						"linked_resource": {
+							Name: "linked_resource",
+							Expr: fooDataSourceExpr,
+						},
+					},
+				}),
+				DefRange:    blockRange,
+				LabelRanges: []hcl.Range{{}},
+			},
+			&Action{
+				Type:            "an_action",
+				Name:            "foo",
+				LinkedResources: nil,
+				DeclRange:       blockRange,
+			},
+			[]string{`:0,0-0: Invalid "linked_resource"; "linked_resource" must only refer to a managed resource in the current module.`},
+		},
 	}
 
 	for name, test := range tests {
 		t.Run(name, func(t *testing.T) {
 			got, diags := decodeActionBlock(test.input)
-			if len(diags) != len(test.expectDiags) {
-				t.Error(diags.Error())
-				t.Fatalf("Wrong result! Expected %d diagnostics, got %d", len(test.expectDiags), len(diags))
-			}
+			assertExactDiagnostics(t, diags, test.expectDiags)
+			assertResultDeepEqual(t, got, test.want)
+		})
+	}
+}
+
+func TestDecodeActionTriggerBlock(t *testing.T) {
+	conditionExpr := hcltest.MockExprLiteral(cty.True)
+	eventsListExpr := hcltest.MockExprList([]hcl.Expression{hcltest.MockExprTraversalSrc("after_create"), hcltest.MockExprTraversalSrc("after_update")})
+
+	fooActionExpr := hcltest.MockExprTraversalSrc("action.action_type.foo")
+	barActionExpr := hcltest.MockExprTraversalSrc("action.action_type.bar")
+	fooAndBarExpr := hcltest.MockExprList([]hcl.Expression{fooActionExpr, barActionExpr})
+
+	// bad inputs!
+	moduleActionExpr := hcltest.MockExprTraversalSrc("module.foo.action.action_type.bar")
+	fooDataSourceExpr := hcltest.MockExprTraversalSrc("data.example.foo")
+
+	tests := map[string]struct {
+		input       *hcl.Block
+		want        *ActionTrigger
+		expectDiags []string
+	}{
+		"simple example": {
+			&hcl.Block{
+				Type: "action_trigger",
+				Body: hcltest.MockBody(&hcl.BodyContent{
+					Attributes: hcltest.MockAttrs(map[string]hcl.Expression{
+						"condition": conditionExpr,
+						"events":    eventsListExpr,
+						"actions":   fooAndBarExpr,
+					}),
+				}),
+			},
+			&ActionTrigger{
+				Condition: conditionExpr,
+				Events:    []ActionTriggerEvent{AfterCreate, AfterUpdate},
+				Actions: []ActionRef{
+					{
+						mustAbsTraversalForExpr(fooActionExpr),
+						fooActionExpr.Range(),
+					},
+					{
+						mustAbsTraversalForExpr(barActionExpr),
+						barActionExpr.Range(),
+					},
+				},
+			},
+			nil,
+		},
+		"error - referencing actions in other modules": {
+			&hcl.Block{
+				Type: "action_trigger",
+				Body: hcltest.MockBody(&hcl.BodyContent{
+					Attributes: hcltest.MockAttrs(map[string]hcl.Expression{
+						"condition": conditionExpr,
+						"events":    eventsListExpr,
+						"actions":   hcltest.MockExprList([]hcl.Expression{moduleActionExpr}),
+					}),
+				}),
+			},
+			&ActionTrigger{
+				Condition: conditionExpr,
+				Events:    []ActionTriggerEvent{AfterCreate, AfterUpdate},
+				Actions:   []ActionRef{},
+			},
+			[]string{
+				"MockExprTraversal:0,0-33: Invalid actions argument inside action_triggers; action_triggers.actions accepts a list of one or more actions, which must be in the current module.",
+				":0,0-0: No actions specified; At least one action must be specified for an action_trigger.",
+			},
+		},
+		"error - action is not an action": {
+			&hcl.Block{
+				Type: "action_trigger",
+				Body: hcltest.MockBody(&hcl.BodyContent{
+					Attributes: hcltest.MockAttrs(map[string]hcl.Expression{
+						"condition": conditionExpr,
+						"events":    eventsListExpr,
+						"actions":   hcltest.MockExprList([]hcl.Expression{fooDataSourceExpr}),
+					}),
+				}),
+			},
+			&ActionTrigger{
+				Condition: conditionExpr,
+				Events:    []ActionTriggerEvent{AfterCreate, AfterUpdate},
+				Actions:   []ActionRef{},
+			},
+			[]string{
+				"MockExprTraversal:0,0-16: Invalid actions argument inside action_triggers; action_triggers.actions accepts a list of one or more actions, which must be in the current module.",
+				":0,0-0: No actions specified; At least one action must be specified for an action_trigger.",
+			},
+		},
+		"error - invalid event": {
+			&hcl.Block{
+				Type: "action_trigger",
+				Body: hcltest.MockBody(&hcl.BodyContent{
+					Attributes: hcltest.MockAttrs(map[string]hcl.Expression{
+						"condition": conditionExpr,
+						"events":    hcltest.MockExprList([]hcl.Expression{hcltest.MockExprTraversalSrc("not_an_event")}),
+						"actions":   hcltest.MockExprList([]hcl.Expression{fooActionExpr}),
+					}),
+				}),
+			},
+			&ActionTrigger{
+				Condition: conditionExpr,
+				Events:    []ActionTriggerEvent{},
+				Actions: []ActionRef{
+					{
+						mustAbsTraversalForExpr(fooActionExpr),
+						fooActionExpr.Range(),
+					},
+				},
+			},
+			[]string{
+				"MockExprTraversal:0,0-12: Invalid \"event\" value not_an_event; The \"event\" argument supports the following values: before_create, after_create, before_update, after_update, before_destroy, after_destroy.",
+				":0,0-0: No events specified; At least one event must be specified for an action_trigger.",
+			},
+		},
+	}
 
+	for name, test := range tests {
+		t.Run(name, func(t *testing.T) {
+			got, diags := decodeActionTriggerBlock(test.input)
+			assertExactDiagnostics(t, diags, test.expectDiags)
 			assertResultDeepEqual(t, got, test.want)
 		})
 	}