Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Correctly handle multiple tags for same terraform module version #4616

Open
gavinclarkeuk opened this issue Jan 10, 2022 · 2 comments
Open

Correctly handle multiple tags for same terraform module version #4616

gavinclarkeuk opened this issue Jan 10, 2022 · 2 comments
Labels
good first issue L: terraform Terraform packages T: bug 🐞 Something isn't working versioning

Comments

@gavinclarkeuk
Copy link

gavinclarkeuk commented Jan 10, 2022
edited

Dependabot is raising unnecessary PRs for private github terraform modules which are tagged using multiple tags to pin at major/minor or patch versions (e.g. v2, v2.2, v2.2.0). A module dependency on v2 is causing a PR to be raised to change the dependency to v2.2, despite both tags pointing at the same version.

Package ecosystem
terraform

dependabot.yml content

version: 2
updates:
  - package-ecosystem: "terraform" # See documentation for possible values
    directory: "/" # Location of package manifests
    schedule:
      interval: "daily"

Updated dependency

Dependency was for an internal terraform module stored in a private github repo. The module is tagged with 3 tags for pinning at different levels - e.g. v2, v2.2, v2.2.0

The project being scanned had a dependency on v2 of the module.

What you expected to see, versus what you actually saw
Saw a PR raised to update the version from v2 to v2.2. Given the v2, v2.2, v2.2.0 tags all point to the same version. I would expect no PR to be raised

🕹 Bonus points: Smallest manifest that reproduces the issue

example.tf
module "example_module" { source = "git@github.com:my-org/my-module/?ref=v2" }

@gavinclarkeuk gavinclarkeuk added the T: bug 🐞 Something isn't working label Jan 10, 2022
@gavinclarkeuk gavinclarkeuk changed the title Correctly handle multiple tags for same terraform module versions Correctly handle multiple tags for same terraform module version Jan 10, 2022
@mctofu mctofu added the L: terraform Terraform packages label Jan 11, 2022
@jeffwidman
Copy link
Member

We do consider this a bug, we should retain the specificity of the tag.

We fixed something similar for GitHub actions a few months ago:

I don't know when we'll get to this, but the great thing is this library is open source so if it's affecting you feel free to use the above examples to create a similar PR for Terraform.

@deivid-rodriguez
Copy link
Contributor

deivid-rodriguez commented Feb 22, 2023
edited

Yeah, those PRs implemented that actual git checking logic to be able to do this, so adding the same fix to terraform should be pretty easy now. From a first look, I think it may be enough to change

dependabot-core/terraform/lib/dependabot/terraform/update_checker.rb

Line 124 in 4663b2c

latest_tag = git_commit_checker.local_tag_for_latest_version&.

to

latest_tag = git_commit_checker.local_ref_for_latest_version_matching_existing_precision&.

You're welcome to experiment with this solution. Ideally you'd have a public repo available with this kind of versioning so that you can capture some responses and use them for the specs.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
good first issue L: terraform Terraform packages T: bug 🐞 Something isn't working versioning
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@gavinclarkeuk @jeffwidman @abdulapopoola @mctofu @deivid-rodriguez