provider_missing_default_tags does not work with dynamic tags

[JeremieDoctrine]

We imports tags from a module.

And apply them this way :

provider "aws" {
  region = "eu-central-1"
  default_tags {
    tags = module.commons.tags
  }  
}

When trying to add the rule :

rule "aws_provider_missing_default_tags" {
    enabled = true
    tags = ["terraform_stack", "terraform_ci_deployed"]
}

tflint fails saying that theses tags are not set.

❯ tflint --config=./.tflint.hcl --recursive --minimum-failure-severity=notice && echo "succcess"
1 issue(s) found:

Notice: The provider is missing the following tags: "terraform_ci_deployed", "terraform_stack". (aws_provider_missing_default_tags)

  on providers.tf line 27:
  27:     tags = module.commons.tags

Reference: https://github.com/terraform-linters/tflint-ruleset-aws/blob/v0.33.0/docs/rules/aws_provider_missing_default_tags.md

If I manually set the tagsm it runs successfuly :

provider "aws" {
  region = "eu-central-1"
  default_tags {
    tags = {
      terraform_ci_deployed = "xoxo"
      terraform_stack       = "fdsfds"
    }
  }
}

❯ tflint --config=./.tflint.hcl --recursive --minimum-failure-severity=notice && echo "succcess"
succcess

I'm not sure if it is expected or not?

[bendrucker]

Well what's the module definition?

[JeremieDoctrine]

@bendrucker The module outputs something like that

output "tags" {
  value = merge(
    {
      terraform_stack       = var.stack
      terraform_ci_deployed = var.ci_deployed
    },
    var.workspace != "" ? { terraform_workspace = var.workspace } : {},
    var.contains_user_data ? { VantaContainsUserData = "True" } : {},
  )
}

[bendrucker]

What about the module call? Are all of those variables set?

Regardless, the definite bug here would be that required tags aren't suppressed entirely if the provider has default tags that are unknown.

When that happens, the rule should assume those default tags could be anything and return early without any further checks.

[JeremieDoctrine]

The module is called this way :

module "commons" {
  source      = "../commons?ref=commons-v1"
  stack       = "xxxx"
  ci_deployed = true
}

And it does not have default values:

variable "stack" {
  description = "macro level infra structure component (eg: vpc, main-db...)"
  type        = string
}
variable "ci_deployed" {
  description = "whether or not the stack is automatically deployed"
  type        = bool
}

It does not have default values but the values are set.

[bendrucker]

And var.contains_user_data and var.workspace have defaults?

[JeremieDoctrine]

Yes

variable "stack" {
  description = "macro level infra structure component (eg: vpc, main-db...)"
  type        = string
}
variable "workspace" {
  description = "environment (eg: production, development...)"
  type        = string
  default     = ""
}
variable "ci_deployed" {
  description = "whether or not the stack is automatically deployed"
  type        = bool
}
variable "contains_user_data" {
  description = "insert the reserved tag VantaContainsUserData"
  type        = bool
  default     = false
}

[bendrucker]

Hmm, so in theory merge should be able to determine a known type/value. But while in theory it's possible to statically evaluate these module outputs, it's not actually supported at the moment:

terraform-linters/tflint#2076

That said, #851 will fix the false positive issue that you're seeing.

[JeremieDoctrine]

Oh I see. Thanks a lot for finding the issue with tflint directly I didn't see it. Thanks again for providing a fix for the false positive 🙇