Inconsistent results when evaluating multiple required_providers with override files

[ccp-void]

Summary

There seems to be an issue with tflint when there exists multiple terraform blocks which terraform merges according to the override files feature. In my case I'm using Terragrunt and have a backend.tf, versions.tf and a versions_override.tf file when tflint is executed. When these three files exist with the example content tflint seems to suffer from a race condition or some other inconsistency in how it evaluates/merges the override file.

This issue manifests itself in that tflint will only intermittently report a linting error. Note how in the output provided I run tflint 7 times in a row in the shell, without any changes to the code in between, resulting in 2 out of those 7 executions reporting an error.

Command

tflint

Terraform Configuration

backend.tf

# Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa
terraform {
  backend "s3" {
    bucket         = "bucket"
    dynamodb_table = "tf-locks"
    encrypt        = true
    key            = "path/to/tf.tfstate"
    region         = "us-east-1"
  }
}

provider.tf

# Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa
provider "aws" {
  region              = "us-east-1"
  allowed_account_ids = ["111111111111"]
}

versions.tf

terraform {
  required_providers {
    kubectl = {
      source  = "gavinbunney/kubectl"
      version = ">= 1.14.0"
    }
  }
}

versions_override.tf

# Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa
terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = ">= 5.64.0"
    }
  }
  required_version = ">= 0.19"
}

TFLint Configuration

plugin "terraform" {
  enabled = true
  preset  = "recommended"
  version = "0.9.1"
  source  = "github.com/terraform-linters/tflint-ruleset-terraform"
}

plugin "aws" {
  enabled = true
  version = "0.32.0"
  source  = "github.com/terraform-linters/tflint-ruleset-aws"
}

config {
  module = true
}

Output

/tmp/tf                                                                                             
❯ tflint

/tmp/tf                                                                                             
❯ tflint

/tmp/tf                                                                                             
❯ tflint

/tmp/tf                                                                                             
❯ tflint
1 issue(s) found:

Warning: Missing version constraint for provider "aws" in `required_providers` (terraform_required_providers)

  on provider.tf line 2:
   2: provider "aws" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.8.0/docs/rules/terraform_required_providers.md

/tmp/tf                                                                                             
❯ tflint

/tmp/tf                                                                                             
❯ tflint

/tmp/tf                                                                                             
❯ tflint
1 issue(s) found:

Warning: Missing version constraint for provider "aws" in `required_providers` (terraform_required_providers)

  on provider.tf line 2:
   2: provider "aws" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.8.0/docs/rules/terraform_required_providers.md

TFLint Version

0.52.0, 0.53.0

Terraform Version

1.9.4

Operating System

• Linux
• macOS
• Windows

[wata727]

Thank you for reporting this, it seems to be a bug caused by overlooking that the terraform blocks can be declared multiple times.

I didn't know that you could define the terraform blocks multiple times outside of *_override.tf (overrides are resolved internally and are therefore irrelevant to this issue).
Looking at the upstream implementation, this appears to be the correct behavior.
https://github.com/hashicorp/terraform/blob/v1.5.7/internal/configs/parser_config.go#L60-L102

The current terraform_required_providers rule gives precedence to the last terraform block that appears, causing inconsistent results depending on the order of the terraform blocks that are retrieved.
https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/rules/terraform_required_providers.go#L151-L156

Perhaps merging the attributes of each terraform block will fix this issue.

[wata727]

After some more investigation, it appears there is a bug not only with multiple terraform blocks, but also with the behavior of overrides. In this issue, the latter is the case.

Terraform's merge behavior is defined as follows, but TFLint probably doesn't implement it strictly.
https://developer.hashicorp.com/terraform/language/files/override
https://github.com/terraform-linters/tflint/blob/v0.53.0/terraform/module.go#L155-L174

[wata727]

This bug has been fixed in TFLint v0.54.0 terraform-linters/tflint#2124