feat(provisioner/terraform/tfparse): add support for built-in Terraform functions (#16183)

Relates to https://github.com/coder/coder/issues/15977 Adds support for some functions in `tfparse` (only functions that do not reference local files). NOTE: for now, I'm importing trivy-iac. If we prefer to avoid a little dependency, I can do a little copying instead.
2025-07-30 22:19:53 +00:00 · 2025-01-20 11:03:57 +00:00
parent 7bef4dfda6
commit 4ba0b39f03
6 changed files with 222 additions and 5 deletions
--- a/provisioner/terraform/tfparse/tfparse_test.go
+++ b/provisioner/terraform/tfparse/tfparse_test.go
@@ -416,13 +416,52 @@ func Test_WorkspaceTagDefaultsFromFile(t *testing.T) {
 			expectError: `There is no variable named "foo_bar"`,
 		},
 		{
-			name: "main.tf with functions in workspace tags",
+			name: "main.tf with allowed functions in workspace tags",
 			files: map[string]string{
 				"main.tf": `
 					provider "foo" {}
 					resource "foo_bar" "baz" {
 						name = "foobar"
 					}
+					locals {
+						some_path = pathexpand("file.txt")
+					}
+					variable "region" {
+						type    = string
+						default = "us"
+					}
+					data "coder_parameter" "unrelated" {
+						name    = "unrelated"
+						type    = "list(string)"
+						default = jsonencode(["a", "b"])
+					}
+					data "coder_parameter" "az" {
+						name = "az"
+						type = "string"
+						default = "a"
+					}
+					data "coder_workspace_tags" "tags" {
+						tags = {
+							"platform"  = "kubernetes",
+							"cluster"   = "${"devel"}${"opers"}"
+							"region"    = try(split(".", var.region)[1], "placeholder")
+							"az"        = try(split(".", data.coder_parameter.az.value)[1], "placeholder")
+						}
+					}`,
+			},
+			expectTags: map[string]string{"platform": "kubernetes", "cluster": "developers", "region": "placeholder", "az": "placeholder"},
+		},
+		{
+			name: "main.tf with disallowed functions in workspace tags",
+			files: map[string]string{
+				"main.tf": `
+					provider "foo" {}
+					resource "foo_bar" "baz" {
+						name = "foobar"
+					}
+					locals {
+						some_path = pathexpand("file.txt")
+					}
 					variable "region" {
 						type    = string
 						default = "region.us"
@@ -443,11 +482,12 @@ func Test_WorkspaceTagDefaultsFromFile(t *testing.T) {
 							"cluster"   = "${"devel"}${"opers"}"
 							"region"    = try(split(".", var.region)[1], "placeholder")
 							"az"        = try(split(".", data.coder_parameter.az.value)[1], "placeholder")
+							"some_path" = pathexpand("~/file.txt")
 						}
 					}`,
 			},
 			expectTags:  nil,
-			expectError: `Function calls not allowed; Functions may not be called here.`,
+			expectError: `function "pathexpand" may not be used here`,
 		},
 		{
 			name: "supported types",