Detect interpolation in terragrunt sources and skip if present #7502
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
|
Changed to do a simple include will catch any interpolation passed in and not process it. |
|
@deivid-rodriguez @jeffwidman @jurre Any estimate on when you all will be able to look at this? |
…interpolation so simplifing the check is less problematic
jeffwidman
force-pushed
the
dwc0011-terragrunt-interpolation-error
branch
from
b3aab97
to
7dd3187
Compare
| dependency_set << build_terragrunt_dependency(file, details) | ||
| source = source_from(details) | ||
| # Cannot update nil (interpolation sources) or local path modules, skip | ||
| next if source.nil? || source[:type] == "path" |
There was a problem hiding this comment.
I don't know how this code is used, and don't know Terragrunt/Terraform very well.
Obviously we can't update local path modules as deps to the current terragrunt files, but is there any risk that this prevents updating a local path module that's sitting in the same monorepo? Ie, because this stops 
from parsing the local module, it also prevent Dependabot from updating any remote deps listed in that local module?
I highly doubt that's a risk, so I'm going to merge, but wanted to doublecheck with you @dwc0011 since you're the expert.
There was a problem hiding this comment.
I don't think it would prevent it, exactly... There simply is no way for Dependabot to know how the Terragrunt interpolation resolves. The resolution depends on the Terragrunt config at runtime, and may not even be consistent. So when the user is using Terragrunt interpolation this way, Dependabot simply can't use its recursive feature to update anything in that other path anyway.
The workaround for the user would be just to specify both paths in the Dependabot config, so then Dependabot processes both. Which honestly is my preference anyway; the recursive feature in Dependabot has been a bit of a pain and I'd rather just disable it. (Though now with grouping it is becoming of more interest...)
There was a problem hiding this comment.
@jeffwidman For terraform local path modules, dependabot does not support updating local path modules, so it makes sense that terragrunt local path modules would not be updated as well.
Local Path Module Files are found and traversed by the file fetcher, not the file parser, all files including those where local path modules are found are then passed to the file parser. That said Terragrunt files do not have a fetch local path module at this time. (This could be added in a separate PR)
As mentioned, the file fetcher is responsible for gathering all the files to process including local source module files.
For terraform files see: fetch local path modules.
Since the process is fetch the files, parse, check updatable, and then update; not returning terragrunt local path dependency in the file_parser makes the most sense. We do this for other types that are not supported as well. i.e. local path modules for terraform, interpolation for terragrunt (added by this PR),
Even if the dependency was added in the file parser, it would be removed later in the update checker
There was a problem hiding this comment.
Thanks both of you. That's very helpful context, and I appreciate the extra details... Will be useful for any future git blame spelunkers.
…dabot#7502) Use a regex to determine if interpolation syntax is used anywhere in a source. If so, return `nil` and skip. Also skip local path dependencies, as they cannot be updated, so no point in processing them. --------- Co-authored-by: Dennis Carey <dwc0011@users.noreply.github.com>
Fixes #5841 by using a regex to determine if interpolation syntax is used anywhere in a source.