Skip to content

Improve missing Terraform config errors#12070

Open
preko-p wants to merge 8 commits into
radius-project:mainfrom
preko-p:9477-terraform-missing-config-error
Open

Improve missing Terraform config errors#12070
preko-p wants to merge 8 commits into
radius-project:mainfrom
preko-p:9477-terraform-missing-config-error

Conversation

@preko-p

@preko-p preko-p commented Jun 8, 2026

Copy link
Copy Markdown

Description

This improves Terraform recipe inspection so a missing downloaded module directory, missing subdirectory, or module directory without Terraform configuration files returns an actionable error:

The Terraform configuration in location <templatePath> is not found.

Malformed Terraform configuration still flows through the existing tfconfig.LoadModule diagnostics as error loading the module: ....

Type of change

  • This pull request fixes a bug in Radius and has an approved issue (issue link required).

Fixes: #9477

Contributor checklist

Please verify that the PR meets the following requirements, where applicable:

  • An overview of proposed schema changes is included in a linked GitHub issue.
    • Yes
    • Not applicable
  • A design document is added or updated under eng/design-notes/ in this repository, if new APIs are being introduced.
    • Yes
    • Not applicable
  • The design document has been reviewed and approved by Radius maintainers/approvers.
    • Yes
    • Not applicable
  • A PR for resource-types-contrib is created, if resource types or recipes are affected by the changes in this PR.
    • Yes
    • Not applicable
  • A PR for dashboard is created, if the Radius Dashboard is affected by the changes in this PR.
    • Yes
    • Not applicable
  • A PR for the documentation repository is created, if the changes in this PR affect the documentation or any user facing updates are made.
    • Yes
    • Not applicable

Verification

  • git diff --check
  • docker run --rm golang:1.26.4 go version
  • docker run --rm --user "$(id -u):$(id -g)" -v "$PWD":/repo -w /repo golang:1.26.4 gofmt -w pkg/recipes/terraform/module.go pkg/recipes/terraform/module_test.go
  • docker run --rm --user "$(id -u):$(id -g)" -v "$PWD":/repo -w /repo -e HOME=/tmp -e GOCACHE=/tmp/gocache -e GOMODCACHE=/tmp/gomodcache golang:1.26.4 go test ./pkg/recipes/terraform -run Test_InspectTFModuleConfig
  • docker run --rm --user "$(id -u):$(id -g)" -v "$PWD":/repo -w /repo -e HOME=/tmp -e GOCACHE=/tmp/gocache -e GOMODCACHE=/tmp/gomodcache golang:1.26.4 go test ./pkg/recipes/terraform ./pkg/recipes/driver/terraform

AI assistance disclosure

This PR was prepared with AI assistance and reviewed locally before submission.

Copilot AI review requested due to automatic review settings June 8, 2026 17:36
@preko-p preko-p requested review from a team as code owners June 8, 2026 17:36
@preko-p preko-p requested a deployment to external-contributor-approval June 8, 2026 17:37 — with GitHub Actions Waiting

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

This PR tightens Terraform module inspection by detecting missing Terraform configuration files up front and improving test coverage for missing/invalid module scenarios.

Changes:

  • Added a pre-check for presence of .tf / .tf.json files before calling tfconfig.LoadModule.
  • Introduced a standardized error message for missing module configuration.
  • Expanded unit tests to cover missing submodules, missing config, and invalid config cases with optional exact error matching.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File Description
pkg/recipes/terraform/module.go Adds hasTerraformConfigFiles and returns a clearer “config not found” error before attempting module load.
pkg/recipes/terraform/module_test.go Extends table-driven tests with setup hooks and exact error assertions for new failure modes.

Comment thread pkg/recipes/terraform/module_test.go
Comment thread pkg/recipes/terraform/module.go
@preko-p preko-p force-pushed the 9477-terraform-missing-config-error branch from 6d225dc to 03c5165 Compare June 9, 2026 19:04
@preko-p preko-p requested a deployment to external-contributor-approval June 9, 2026 19:04 — with GitHub Actions Waiting
@preko-p preko-p requested a deployment to external-contributor-approval June 10, 2026 16:24 — with GitHub Actions Waiting
@preko-p

preko-p commented Jun 10, 2026

Copy link
Copy Markdown
Author

Thanks, addressed both review comments in a follow-up push.

What changed:

  • Fixed the no-config test setup so it creates the module directory, not a directory named main.tf.
  • Switched the file scan to entry.Type().IsRegular() to avoid the extra Info() stat.
  • Added an explicit regression case for a directory named main.tf, so directory entries are still ignored even if their name looks like Terraform config.

Verification run locally through the Go 1.26.4 Docker image:

  • gofmt on the changed Go files
  • git diff --check
  • go test ./pkg/recipes/terraform -run Test_InspectTFModuleConfig
  • go test ./pkg/recipes/terraform ./pkg/recipes/driver/terraform

@preko-p preko-p force-pushed the 9477-terraform-missing-config-error branch from 1b8c09b to 89ad95a Compare June 10, 2026 16:29
@preko-p preko-p temporarily deployed to external-contributor-approval June 10, 2026 16:29 — with GitHub Actions Inactive

@DariuszPorowski DariuszPorowski left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

good, targeted fix! thank you

@willtsai @zachcasper @nicolejms The hardcoded .terraform/modules breaks if TF_DATA_DIR is set (tfexec inherits the pod env). Pre-existing, out of scope here, but flagging as latent tech debt.

@codecov

codecov Bot commented Jun 22, 2026

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 74.28571% with 9 lines in your changes missing coverage. Please review.
✅ Project coverage is 52.88%. Comparing base (f703bc7) to head (811cc5a).

Files with missing lines Patch % Lines
pkg/recipes/terraform/module.go 74.28% 5 Missing and 4 partials ⚠️
Additional details and impacted files
@@           Coverage Diff           @@
##             main   #12070   +/-   ##
=======================================
  Coverage   52.88%   52.88%           
=======================================
  Files         751      751           
  Lines       48353    48387   +34     
=======================================
+ Hits        25572    25591   +19     
- Misses      20384    20392    +8     
- Partials     2397     2404    +7     

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

Comment thread pkg/recipes/terraform/module.go Fixed
Comment thread pkg/recipes/terraform/module.go Fixed
Comment thread pkg/recipes/terraform/module.go Fixed
Comment thread pkg/recipes/terraform/module.go Fixed
@DariuszPorowski DariuszPorowski requested a deployment to external-contributor-approval June 23, 2026 04:54 — with GitHub Actions Waiting
@preko-p

preko-p commented Jun 24, 2026

Copy link
Copy Markdown
Author

Pushed a follow-up for the new CodeQL findings and refreshed the branch with current main so the spellcheck config move is included.

What changed:

  • Validate the downloaded module name and submodule path with filepath.Clean + filepath.IsLocal before building the .terraform/modules path.
  • Add a missing Terraform config precheck so absent/non-config module dirs fail with the existing user-facing message.
  • Add a nil guard after tfconfig.LoadModule diagnostics.
  • Add regression tests for traversal attempts, missing submodules/config, and config-like directories.

Verification run with Go 1.26.4:

  • git diff --check
  • go test ./pkg/recipes/terraform -run Test_InspectTFModuleConfig
  • go test ./pkg/recipes/terraform ./pkg/recipes/driver/terraform

Post-push checks have started; DCO and Check Trust are passing, Approval Gate is still pending.

@DariuszPorowski DariuszPorowski temporarily deployed to external-contributor-approval June 25, 2026 21:02 — with GitHub Actions Inactive
DariuszPorowski added a commit to preko-p/radius that referenced this pull request Jun 26, 2026
# Description

This pull request updates several GitHub Actions workflow files to add
the `allow-unsafe-pr-checkout: true` option to various
`actions/checkout` steps. This change ensures that workflows can check
out pull request code even when GitHub's default protections would block
it, which can be necessary for certain workflows or testing scenarios -
PR checkout from forks.

Discovered in radius-project#12070 after
radius-project#12246

`Error: Refusing to check out fork pull request code from a
'pull_request_target' workflow. This workflow runs with the base
repository's GITHUB_TOKEN, secrets, default-branch cache scope, and
runner access. Fetching and executing a fork's code in that trusted
context commonly leads to "pwn request" vulnerabilities. To opt in,
review the risks at https://gh.io/securely-using-pull_request_target and
set 'allow-unsafe-pr-checkout: true' on the actions/checkout step.`

## Type of change

- This pull request is a minor refactor, code cleanup, test improvement,
or other maintenance task and doesn't change the functionality of Radius
(issue link optional).

## Contributor checklist
Please verify that the PR meets the following requirements, where
applicable:

- An overview of proposed schema changes is included in a linked GitHub
issue.
    - [ ] Yes
    - [x] Not applicable
- A design document is added or updated under `eng/design-notes/` in
this repository, if new APIs are being introduced.
    - [ ] Yes
    - [x] Not applicable
- The design document has been reviewed and approved by Radius
maintainers/approvers.
    - [ ] Yes
    - [x] Not applicable
- A PR for
[resource-types-contrib](https://github.com/radius-project/resource-types-contrib/)
is created, if resource types or recipes are affected by the changes in
this PR.
    - [ ] Yes
    - [x] Not applicable
- A PR for [dashboard](https://github.com/radius-project/dashboard/) is
created, if the Radius Dashboard is affected by the changes in this PR.
    - [ ] Yes
    - [x] Not applicable
- A PR for the [documentation
repository](https://github.com/radius-project/docs) is created, if the
changes in this PR affect the documentation or any user facing updates
are made.
    - [ ] Yes
    - [x] Not applicable
@DariuszPorowski DariuszPorowski temporarily deployed to external-contributor-approval June 26, 2026 00:25 — with GitHub Actions Inactive
@radius-functional-tests

radius-functional-tests Bot commented Jun 26, 2026

Copy link
Copy Markdown

Radius functional test overview

🔍 Go to test action run

Click here to see the test run details
Name Value
Repository preko-p/radius
Commit ref 811cc5a
Unique ID func0e1e01522d
Image tag pr-func0e1e01522d
  • Dapr: 1.14.4
  • Azure KeyVault CSI driver: 1.4.2
  • Azure Workload identity webhook: 1.3.0
  • Bicep recipe location ghcr.io/radius-project/dev/test/testrecipes/test-bicep-recipes/<name>:pr-func0e1e01522d
  • Terraform recipe location http://tf-module-server.radius-test-tf-module-server.svc.cluster.local/<name>.zip (in cluster)
  • applications-rp test image location: ghcr.io/radius-project/dev/applications-rp:pr-func0e1e01522d
  • dynamic-rp test image location: ghcr.io/radius-project/dev/dynamic-rp:pr-func0e1e01522d
  • controller test image location: ghcr.io/radius-project/dev/controller:pr-func0e1e01522d
  • ucp test image location: ghcr.io/radius-project/dev/ucpd:pr-func0e1e01522d
  • deployment-engine test image location: ghcr.io/radius-project/deployment-engine:latest

Test Status

⌛ Building Radius and pushing container images for functional tests...
✅ Container images build succeeded
⌛ Publishing Bicep Recipes for functional tests...
✅ Recipe publishing succeeded
⌛ Starting ucp-cloud functional tests...
⌛ Starting corerp-cloud functional tests...
✅ ucp-cloud functional tests succeeded
✅ corerp-cloud functional tests succeeded

@DariuszPorowski DariuszPorowski left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🤘🚀

@DariuszPorowski

Copy link
Copy Markdown
Member

@preko-p overall looks good, approved. Thank you!

We require verified commits, see
https://github.com/radius-project/radius/blob/main/docs/contributing/contributing-code/contributing-code-first-commit/first-commit-06-creating-a-pr/index.md#signing-your-commits

Without it the PR will be blocked to merge.

image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Wrong error when Terraform configuration is not found

4 participants