Terragrunt cannot validate inputs if Terraform module uses variables in "source" or "version" fields #4986
Description
Describe the bug
Terragrunt cannot validate inputs if Terraform module uses variables in "source" or "version" fields. Being able to use variables (or locals) in source or version fields within a Terraform module is an OpenTofu only feature available since OpenTofu 1.8 (I believe).
When Terragrunt is ran with a command like:
terragrunt hcl validate --all --strict --inputs
an error similar to this is given:
19:51:02.367 ERROR Run failed: 2 errors occurred:
* Variables not allowed: Variables may not be used here. (and 17 other messages)
* Variables not allowed: Variables may not be used here. (and 3 other messages)
Steps To Reproduce
- Create a Terraform module, that relies on another Teraform submodule. Use a local variable when referring to the submodule version. Example:
################################################################################
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "6.16.0"
}
}
}
provider "aws" {
region = var.region
allowed_account_ids = [
var.account_id
]
}
################################################################################
locals {
module_identity_aws_release = "1.1.2"
}
################################################################################
module "iam_role" {
source = "gitlab.com/bitservices/identity/aws//role"
version = local.module_identity_aws_release
name = "test-iam-role"
assume_policy = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::${var.account_id}:root"
]
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
}
POLICY
}
module "iam_role_policy_ec2" {
source = "gitlab.com/bitservices/identity/aws//role-policy"
version = local.module_identity_aws_release
name = format("%s-ec2", module.iam_role.name)
role = module.iam_role.name
policy = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:*"
],
"Resource": "*"
},
]
}
POLICY
}
################################################################################- Reference this Terraform module with any basic Terragrunt configuration
- The errors shown in the problem statement occur.
Expected behavior
For validation to pass (as long as inputs match required/optional variables). Even if they don't match an error message stating this rather than the errors above which imply Terragrunt is unable to process the module at all.
Must haves
- Steps for reproduction provided.
Nice to haves
- Terminal output
- Screenshots
Versions
- Terragrunt version: 0.90.0
- OpenTofu/Terraform version: 1.10.6 (not relevant as not invoked)
- Environment details (Ubuntu 20.04, Windows 10, etc.): Archlinux
Additional context
The problem seems to be in this file: https://github.com/gruntwork-io/terragrunt/blob/main/tf/tf.go
Due to import: "github.com/hashicorp/terraform-config-inspect/tfconfig".
Terraform does not support variables in module references, OpenTofu does.
Terraform has this: https://github.com/hashicorp/terraform-config-inspect
I cannot find an equivalent for OpenTofu. Until one exists this might be a bit hard for me to work on myself as I guess the solution (package) will need to come from OpenTofu. Someone more involved in the OpenTofu project may know if a package that provides similar functionality is available perhaps under a different name.
Workaround
Obviously the main usecase for this is going to be CI pipelines. Here is a (fairly gross) workaround:
See: https://gitlab.com/bitservices/gitlab/opentofu/-/blob/latest/templates/configs.yml?ref_type=heads
Under: terragrunt_validate
There is a section here: -- Begin Workaround for Terraform Internals --
and: -- End Workaround for Terraform Internals --
This calls the validation once and lets it fail in order to populate .terragrunt-cache. Then it removes any "local" definitions for module versions with just 0.0.0 because we really don't care at this point - just want to see if inputs align. Then it will call the validation again, this time we care about the output and a failure would fail the pipeline.