tflint-ruleset-terraform icon indicating copy to clipboard operation
tflint-ruleset-terraform copied to clipboard

Published 20 hours ago verified publisher icon terraform-linters

`terraform_unused_required_providers` errors with implicit module passing

Open tmatilai opened this issue 3 years ago • 7 comments

terraform-linters/tflint#1225 fixed the case where a provider was explicitly passed to a module, but stated:

It remains a lint error to declare a required provider when it is implicitly inherited by the child module, as that declaration is the child's responsibility.

But this in conflict with the Terraform best practices:

Terraform Core and Provider Versions

  • Reusable modules should constrain only their minimum allowed versions of Terraform and providers, such as >= 0.12.0. This helps avoid known incompatibilities, while allowing the user of the module flexibility to upgrade to newer versions of Terraform without altering the module.

  • Root modules should use a ~> constraint to set both a lower and upper bound on versions for each provider they depend on.

I.e. the root modules should specify a (stricter) version requirement. But tflint complains about it.

tmatilai avatar Mar 21 '22 09:03 tmatilai

Yes, I've also run into this. Your notes/citations are accurate, this should be allowed. Short of disabling the rule entirely, it seems like walking the module tree and accumulating all required providers will be necessary.

This is only an issue when you use environment variables to configure your providers. When a provider block is used that will serve as a usage of the provider in the root module.

bendrucker avatar Mar 21 '22 14:03 bendrucker

This is only an issue when you use environment variables to configure your providers.

And not all providers even need configuration. For example null or random.

tmatilai avatar Mar 21 '22 14:03 tmatilai

Another time that this issue comes up is when the root module passes a provider alias into a child module, and that child module has no resources but implicitly passes to another child module. TF will complain if a module is passed a provider alias but doesn't require that provider, and tf will complain that the required provider is unused even though it is implicitly used by a child module.

If that's confusing: root module that sets provider alias > child module with no resources > module with resources

dmikalova avatar Mar 17 '23 20:03 dmikalova

Hi guys, do you have any update about this? explicit passing is being now marked as deprecated (legacy)

https://developer.hashicorp.com/terraform/language/modules/develop/providers#implicit-provider-inheritance https://developer.hashicorp.com/terraform/language/modules/develop/providers#implicit-provider-inheritance

d4n13lbc avatar Apr 04 '23 03:04 d4n13lbc

There is no change to the official Terraform guidance, as can be seen looking at that page's GitHub history.

bendrucker avatar Apr 04 '23 12:04 bendrucker

This is still an issue and makes this rule of linting cause false-positives. This can be seen when required_providers is set in a module and uses account aliases

1 issue(s) found:

Warning: Missing version constraint for provider "aws" in "required_providers" (terraform_required_providers)

  on security.tf line 10:
  10: module "guardduty" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.2/docs/rules/terraform_required_providers.md

The module:

terraform {
  required_version = ">= 1.0.0"
  required_providers {
    aws = {
      source                = "hashicorp/aws"
      version               = ">= 4.0.0"
      configuration_aliases = [aws.organization_management_account, aws.organization_security_account]
    }
  }
}
...

zachreborn avatar Jan 02 '24 15:01 zachreborn

Just run into that issue (again). Instead of tflint-ignore that provider/error I just added an empty provider block to fix this issue. Not perfect but it works.

provider "http" {}

Skaronator avatar May 06 '25 08:05 Skaronator