gruntwork-io · pseudomorph · Aug 19, 2025 · coderabbitai · Aug 19, 2025 · coderabbitai
@@ -149,6 +149,11 @@ func DecodeBaseBlocks(ctx *ParsingContext, l log.Logger, file *hclparse.File, in
 		errs = errs.Append(err)
 	}
 
+	// Validate that all include paths are unique
+	if err := ValidateUniqueIncludePaths(terragruntIncludeList); err != nil {
+		errs = errs.Append(err)
+	}
+
 	trackInclude, err := getTrackInclude(ctx, terragruntIncludeList, includeFromChild)
 	if err != nil {
 		errs = errs.Append(err)
@@ -458,6 +463,11 @@ func PartialParseConfig(ctx *ParsingContext, l log.Logger, file *hclparse.File,
 			// In normal operation, if a dependency block does not have a `config_path` attribute, decoding returns an error since this attribute is required, but the `hclvalidate` command suppresses decoding errors and this causes a cycle between modules, so we need to filter out dependencies without a defined `config_path`.
 			decoded.Dependencies = decoded.Dependencies.FilteredWithoutConfigPath()
 
+			// Validate that dependency config paths are unique
+			if err := ValidateUniqueConfigPaths(decoded.Dependencies); err != nil {
+				return nil, err
+			}
+
 			output.TerragruntDependencies = decoded.Dependencies
 			// Convert dependency blocks into module dependency lists. If we already decoded some dependencies,
 			// merge them in. Otherwise, set as the new list.
@@ -746,3 +756,26 @@ type InvalidPartialBlockName struct {
 func (err InvalidPartialBlockName) Error() string {
 	return fmt.Sprintf("Unrecognized partial block code %d. This is most likely an error in terragrunt. Please file a bug report on the project repository.", err.sectionCode)
 }
+
+// ValidateUniqueIncludePaths ensures that all include paths are unique within a configuration.
+func ValidateUniqueIncludePaths(includes IncludeConfigs) error {
+	includePaths := make(map[string]string) // map[path]include_name
+
+	for _, inc := range includes {
+		if inc.Path == "" {
+			// Skip includes without path (shouldn't happen but be defensive)
+			continue
+		}
+
+		if existingIncludeName, exists := includePaths[inc.Path]; exists {
+			return fmt.Errorf("duplicate include path '%s' found in include blocks. "+
+				"Include '%s' and include '%s' both point to the same path. "+
+				"Each include must have a unique path",
+				inc.Path, existingIncludeName, inc.Name)
+		}
+
+		includePaths[inc.Path] = inc.Name
+	}
+
+	return nil
+}
@@ -388,3 +388,59 @@ dependency "ec2" {
 	require.NoError(t, err)
 	assert.Len(t, terragruntConfig.Dependencies.Paths, 1)
 }
+
+func TestValidateUniqueIncludePaths(t *testing.T) {
+	t.Parallel()
+
+	testCases := []struct {
+		name        string
+		expectedErr string
+		includes    config.IncludeConfigs
+		expectError bool
+	}{
+		{
+			name: "unique include paths",
+			includes: config.IncludeConfigs{
+				{Name: "root", Path: "../../terragrunt.hcl"},
+				{Name: "common", Path: "../common.hcl"},
+			},
+			expectError: false,
+		},
+		{
+			name: "single include",
+			includes: config.IncludeConfigs{
+				{Name: "root", Path: "../../terragrunt.hcl"},
+			},
+			expectError: false,
+		},
+		{
+			name:        "no includes",
+			includes:    config.IncludeConfigs{},
+			expectError: false,
+		},
+		{
+			name: "duplicate include paths",
+			includes: config.IncludeConfigs{
+				{Name: "root", Path: "../../terragrunt.hcl"},
+				{Name: "backup", Path: "../../terragrunt.hcl"}, // Same path as root
+			},
+			expectError: true,
+			expectedErr: "duplicate include path '../../terragrunt.hcl' found in include blocks. Include 'root' and include 'backup' both point to the same path",
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			err := config.ValidateUniqueIncludePaths(tc.includes)
+
+			if tc.expectError {
+				require.Error(t, err)
+				assert.Contains(t, err.Error(), tc.expectedErr)
+			} else {
+				assert.NoError(t, err)
+			}
+		})
+	}
+}
@@ -119,6 +119,30 @@ func (dep *Dependency) DeepMerge(sourceDepConfig Dependency) error {
 	return nil
 }
 
+// ValidateUniqueConfigPaths ensures that all dependency config_path values are unique within a configuration.
+func ValidateUniqueConfigPaths(dependencies Dependencies) error {
+	configPaths := make(map[string]string) // map[config_path]dependency_name
+
+	for _, dep := range dependencies {
+		configPath := dep.ConfigPath.AsString()
+		if configPath == "" {
+			// Skip dependencies without config_path (filtered out elsewhere)
+			continue
+		}
+
+		if existingDepName, exists := configPaths[configPath]; exists {
+			return fmt.Errorf("duplicate config_path '%s' found in dependency blocks. "+
+				"Dependency '%s' and dependency '%s' both point to the same config path. "+
+				"Each dependency must have a unique config_path",
+				configPath, existingDepName, dep.Name)
+		}
+
+		configPaths[configPath] = dep.Name
+	}
+
+	return nil
+}
+
 // getMockOutputsMergeStrategy returns the MergeStrategyType following the deprecation of mock_outputs_merge_with_state
 // - If mock_outputs_merge_strategy_with_state is not null. The value of mock_outputs_merge_strategy_with_state will be returned
 // - If mock_outputs_merge_strategy_with_state is null and mock_outputs_merge_with_state is not null:
@@ -210,6 +234,11 @@ func decodeAndRetrieveOutputs(ctx *ParsingContext, l log.Logger, file *hclparse.
 	// In normal operation, if a dependency block does not have a `config_path` attribute, decoding returns an error since this attribute is required, but the `hclvalidate` command suppresses decoding errors and this causes a cycle between modules, so we need to filter out dependencies without a defined `config_path`.
 	decodedDependency.Dependencies = decodedDependency.Dependencies.FilteredWithoutConfigPath()
 
+	// Validate that dependency config paths are unique
+	if err := ValidateUniqueConfigPaths(decodedDependency.Dependencies); err != nil {
+		return nil, err
+	}
+
 	if err := checkForDependencyBlockCycles(ctx, l, file.ConfigPath, decodedDependency); err != nil {
 		return nil, err
 	}

@@ -150,3 +150,119 @@ dependency "vpc" {
 	require.NoError(t, file.Decode(&decoded, &hcl.EvalContext{}))
 	assert.Len(t, decoded.Dependencies, 2)
 }
+
+func TestValidateUniqueConfigPaths_Success(t *testing.T) {
+	t.Parallel()
+
+	tests := []struct {
+		name    string
+		hclCode string
+	}{
+		{
+			name: "unique config paths",
+			hclCode: `
+dependency "vpc" {
+  config_path = "../vpc"
+}
+
+dependency "database" {
+  config_path = "../database"
+}
+`,
+		},
+		{
+			name: "single dependency",
+			hclCode: `
+dependency "vpc" {
+  config_path = "../vpc"
+}
+`,
+		},
+		{
+			name: "no dependencies",
+			hclCode: `
+locals {
+  vpc_id = "vpc-123"
+}
+`,
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			t.Parallel()
+
+			filename := config.DefaultTerragruntConfigPath
+			file, err := hclparse.NewParser().ParseFromString(test.hclCode, filename)
+			require.NoError(t, err)
+
+			decoded := config.TerragruntDependency{}
+			err = file.Decode(&decoded, &hcl.EvalContext{})
+			require.NoError(t, err)
+
+			// Also test the validation function directly
+			err = config.ValidateUniqueConfigPaths(decoded.Dependencies)
+			require.NoError(t, err)
+		})
+	}
-func TestValidateUniqueConfigPaths_Success(t *testing.T) {
-	t.Parallel()
-
-	tests := []struct {
-		name    string
-		hclCode string
-	}{
-		{
-			name: "unique config paths",
-			hclCode: `
-dependency "vpc" {
-  config_path = "../vpc"
-}
-
-dependency "database" {
-  config_path = "../database"
-}
-`,
-		},
-		{
-			name: "single dependency",
-			hclCode: `
-dependency "vpc" {
-  config_path = "../vpc"
-}
-`,
-		},
-		{
-			name: "no dependencies",
-			hclCode: `
-locals {
-  vpc_id = "vpc-123"
-}
-`,
-		},
-	}
-
-	for _, test := range tests {
-		t.Run(test.name, func(t *testing.T) {
-			t.Parallel()
-
-			filename := config.DefaultTerragruntConfigPath
-			file, err := hclparse.NewParser().ParseFromString(test.hclCode, filename)
-			require.NoError(t, err)
-
-			decoded := config.TerragruntDependency{}
-			err = file.Decode(&decoded, &hcl.EvalContext{})
-			require.NoError(t, err)
-
-			// Also test the validation function directly
-			err = config.ValidateUniqueConfigPaths(decoded.Dependencies)
-			require.NoError(t, err)
-		})
-	}
+func TestValidateUniqueConfigPaths_Success(t *testing.T) {
+    t.Parallel()
+
+    tests := []struct {
+        name    string
+        hclCode string
+    }{
+        {
+            name: "unique config paths",
+            hclCode: `
+dependency "vpc" {
+  config_path = "../vpc"
+}
+
+dependency "database" {
+  config_path = "../database"
+}
+`,
+        },
+        {
+            name: "single dependency",
+            hclCode: `
+dependency "vpc" {
+  config_path = "../vpc"
+}
+`,
+        },
+        {
+            name: "no dependencies",
+            hclCode: `
+locals {
+  vpc_id = "vpc-123"
+}
+`,
+        },
+    }
+
+    for _, test := range tests {
+        tc := test
+        t.Run(tc.name, func(t *testing.T) {
+            t.Parallel()
+
+            filename := config.DefaultTerragruntConfigPath
+            file, err := hclparse.NewParser().ParseFromString(tc.hclCode, filename)
+            require.NoError(t, err)
+
+            decoded := config.TerragruntDependency{}
+            err = file.Decode(&decoded, &hcl.EvalContext{})
+            require.NoError(t, err)
+
+            // Also test the validation function directly
+            err = config.ValidateUniqueConfigPaths(decoded.Dependencies)
+            require.NoError(t, err)
+        })
+    }
+}
-func TestValidateUniqueConfigPaths_Success(t *testing.T) {
-	t.Parallel()
-
-	tests := []struct {
-		name    string
-		hclCode string
-	}{
-		{
-			name: "unique config paths",
-			hclCode: `
-dependency "vpc" {
-  config_path = "../vpc"
-}
-
-dependency "database" {
-  config_path = "../database"
-}
-`,
-		},
-		{
-			name: "single dependency",
-			hclCode: `
-dependency "vpc" {
-  config_path = "../vpc"
-}
-`,
-		},
-		{
-			name: "no dependencies",
-			hclCode: `
-locals {
-  vpc_id = "vpc-123"
-}
-`,
-		},
-	}
-
-	for _, test := range tests {
-		t.Run(test.name, func(t *testing.T) {
-			t.Parallel()
-
-			filename := config.DefaultTerragruntConfigPath
-			file, err := hclparse.NewParser().ParseFromString(test.hclCode, filename)
-			require.NoError(t, err)
-
-			decoded := config.TerragruntDependency{}
-			err = file.Decode(&decoded, &hcl.EvalContext{})
-			require.NoError(t, err)
-
-			// Also test the validation function directly
-			err = config.ValidateUniqueConfigPaths(decoded.Dependencies)
-			require.NoError(t, err)
-		})
-	}
+func TestValidateUniqueConfigPaths_Success(t *testing.T) {
+    t.Parallel()
+
+    tests := []struct {
+        name    string
+        hclCode string
+    }{
+        {
+            name: "unique config paths",
+            hclCode: `
+dependency "vpc" {
+  config_path = "../vpc"
+}
+
+dependency "database" {
+  config_path = "../database"
+}
+`,
+        },
+        {
+            name: "single dependency",
+            hclCode: `
+dependency "vpc" {
+  config_path = "../vpc"
+}
+`,
+        },
+        {
+            name: "no dependencies",
+            hclCode: `
+locals {
+  vpc_id = "vpc-123"
+}
+`,
+        },
+    }
+
+    for _, test := range tests {
+        tc := test
+        t.Run(tc.name, func(t *testing.T) {
+            t.Parallel()
+
+            filename := config.DefaultTerragruntConfigPath
+            file, err := hclparse.NewParser().ParseFromString(tc.hclCode, filename)
+            require.NoError(t, err)
+
+            decoded := config.TerragruntDependency{}
+            err = file.Decode(&decoded, &hcl.EvalContext{})
+            require.NoError(t, err)
+
+            // Also test the validation function directly
+            err = config.ValidateUniqueConfigPaths(decoded.Dependencies)
+            require.NoError(t, err)
+        })
+    }
+}
+}
+
+func TestValidateUniqueConfigPaths_Failure(t *testing.T) {
+	t.Parallel()
+
+	tests := []struct {
+		name        string
+		hclCode     string
+		expectedErr string
+	}{
+		{
+			name: "duplicate config paths",
+			hclCode: `
+dependency "vpc" {
+  config_path = "../vpc"
+}
+
+dependency "network" {
+  config_path = "../vpc"
+}
+`,
+			expectedErr: "duplicate config_path '../vpc' found in dependency blocks. Dependency 'vpc' and dependency 'network' both point to the same config path",
+		},
+		{
+			name: "multiple duplicates",
+			hclCode: `
+dependency "app1" {
+  config_path = "../app"
+}
+
+dependency "app2" {
+  config_path = "../app"
+}
+
+dependency "app3" {
+  config_path = "../app"
+}
+`,
+			expectedErr: "duplicate config_path '../app' found in dependency blocks. Dependency 'app1' and dependency 'app2' both point to the same config path",
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			t.Parallel()
+
+			filename := config.DefaultTerragruntConfigPath
+			file, err := hclparse.NewParser().ParseFromString(test.hclCode, filename)
+			require.NoError(t, err)
+
+			decoded := config.TerragruntDependency{}
+			err = file.Decode(&decoded, &hcl.EvalContext{})
+			require.NoError(t, err)
+
+			// Test the validation function directly
+			err = config.ValidateUniqueConfigPaths(decoded.Dependencies)
+			require.Error(t, err)
+			assert.Contains(t, err.Error(), test.expectedErr)
+		})
+	}
+}
@@ -7,6 +7,7 @@ import (
 	"github.com/hashicorp/hcl/v2"
 	"github.com/hashicorp/hcl/v2/gohcl"
 	"github.com/hashicorp/hcl/v2/hclparse"
+	"github.com/hashicorp/hcl/v2/hclsyntax"
 )
 
 const (
@@ -65,6 +66,11 @@ func (file *File) Decode(out any, evalContext *hcl.EvalContext) (err error) {
 		}
 	}
 
+	// Validate for duplicate labeled blocks before decoding
+	if err := file.validateNoDuplicateBlocks(); err != nil {
+		return err
+	}
+
 	diags := gohcl.DecodeBody(file.Body, evalContext, out)
 	if err := file.HandleDiagnostics(diags); err != nil {
 		return errors.New(err)
@@ -129,3 +135,38 @@ func (file *File) JustAttributes() (Attributes, error) {
 func (file *File) HandleDiagnostics(diags hcl.Diagnostics) error {
 	return file.Parser.handleDiagnostics(file, diags)
 }
+
+// validateNoDuplicateBlocks checks for duplicate labeled blocks in the HCL file.
+func (file *File) validateNoDuplicateBlocks() error {
+	// Only validate syntax bodies, skip others
+	body, ok := file.Body.(*hclsyntax.Body)
+	if !ok {
+		return nil
+	}
+
+	// Track all block labels to prevent duplicates
+	allBlockLabels := make(map[string]*hcl.Block)
+
+	for _, syntaxBlock := range body.Blocks {
+		hclBlock := syntaxBlock.AsHCLBlock()
+
+		// Check for duplicate block labels (only for blocks with labels)
+		if len(hclBlock.Labels) > 0 {
+			blockKey := hclBlock.Type + "." + hclBlock.Labels[0]
+
+			if existingBlock, exists := allBlockLabels[blockKey]; exists {
+				return errors.New(&hcl.Diagnostic{
+					Severity: hcl.DiagError,
+					Summary:  fmt.Sprintf("Duplicate %s block", hclBlock.Type),
+					Detail: fmt.Sprintf("Duplicate %s block with label '%s' found. Previous block was defined at %s",
+						hclBlock.Type, hclBlock.Labels[0], existingBlock.DefRange.String()),
+					Subject: &hclBlock.DefRange,
+				})
+			}
+
+			allBlockLabels[blockKey] = hclBlock
+		}
+	}
+
+	return nil
+}