Issue with Terraform builtin providers

[BostjanBozic]

Is there an existing issue for this?

• I have searched the existing issues

Package ecosystem

Terraform

Package manager version

No response

Language version

No response

Manifest location and content before the Dependabot update

terraform {
  required_version = ">= 1.9.0"

  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = ">= 5.80.0"
    }
    github = {
      source  = "integrations/github"
      version = ">= 6.3.1"
    }
    google = {
      source  = "hashicorp/google"
      version = ">= 6.12.0"
    }
    google-beta = {
      source  = "hashicorp/google-beta"
      version = ">= 6.12.0"
    }
    local = {
      source  = "hashicorp/local"
      version = ">= 2.5.2"
    }
    terraform = {
      source = "terraform.io/builtin/terraform"
    }
  }
}

dependabot.yml content

---
version: 2
updates:
  # Maintain dependencies for GitHub Actions
  - package-ecosystem: "github-actions"
    directory: "/"
    schedule:
      interval: "weekly"
    target-branch: dev
  # Maintain dependencies for Terraform providers
  - package-ecosystem: "terraform"
    directory: "/terraform"
    schedule:
      interval: "weekly"
    target-branch: dev

Updated dependency

No response

What you expected to see, versus what you actually saw

I would expect Dependabot to be able to run through without any issues. What happens though is that it fails when trying the check for builtin/terraform provider. With this one I do not have a specified version, since it depends on installed version of Terraform anyway (I am using this provider for provider::terraform::decode_tfvars functionality).

I also have some Terraform modules in private repositories and there is no problem there, only issue is with this builtin/terraform. Toward the end of logs I get Host does not support required Terraform-native service, so I wonder if maybe this is simply not supported?

Native package manager behavior

No response

Images of the diff or a link to the PR, issue, or logs

updater | 2024/12/13 19:58:04 INFO <job_932535510> Checking if builtin/terraform  needs updating
  proxy | 2024/12/13 19:58:04 [069] GET [https://terraform.io:443/.well-known/terraform.json](https://terraform.io/.well-known/terraform.json)
  proxy | 2024/12/13 19:58:04 [069] 308 [https://terraform.io:443/.well-known/terraform.json](https://terraform.io/.well-known/terraform.json)
  proxy | 2024/12/13 19:58:04 [072] GET [https://www.terraform.io:443/.well-known/terraform.json](https://www.terraform.io/.well-known/terraform.json)
  proxy | 2024/12/13 19:58:04 [072] 404 [https://www.terraform.io:443/.well-known/terraform.json](https://www.terraform.io/.well-known/terraform.json)
  proxy | 2024/12/13 19:58:04 [074] POST /update_jobs/932535510/record_update_job_error
  proxy | 2024/12/13 19:58:04 [074] 204 /update_jobs/932535510/record_update_job_error
updater | 2024/12/13 19:58:04 INFO <job_932535510> Handled error whilst updating builtin/terraform: private_source_authentication_failure {:source=>"Host does not support required Terraform-native service"}
  proxy | 2024/12/13 19:58:04 [076] POST /update_jobs/932535510/record_ecosystem_meta
  proxy | 2024/12/13 19:58:04 [076] 204 /update_jobs/932535510/record_ecosystem_meta
  proxy | 2024/12/13 19:58:04 [078] PATCH /update_jobs/932535510/mark_as_processed
  proxy | 2024/12/13 19:58:05 [078] 204 /update_jobs/932535510/mark_as_processed
updater | 2024/12/13 19:58:05 INFO <job_932535510> Finished job processing
updater | 2024/12/13 19:58:05 INFO Results:
Dependabot encountered '1' error(s) during execution, please check the logs for more details.
+-----------------------------------------------------------+
|               Dependencies failed to update               |
+-------------------+---------------------------------------+
| builtin/terraform | private_source_authentication_failure |
+-------------------+---------------------------------------+

Smallest manifest that reproduces the issue

No response

[apparentlymart]

In case it's useful context for Dependabot maintainers who might not be familiar with all of the fine details of Terraform:

The provider source address namespace terraform.io/builtin/* is reserved for providers that are built in to the Terraform CLI executable and so cannot be upgraded independently of Terraform CLI. Terraform's provider installer has a special case for that namespace where the terraform init command will just report that the provider is built in to Terraform and not actually try to install it from anywhere. There is no discoverable provider registry running at terraform.io because Terraform does not try to resolve these providers through a registry.

Therefore I think it should be reasonable for Dependabot to entirely ignore any providers belonging to that namespace.

[nightpool]

Does this block other updates in the repo? Or just create an error message?

[BostjanBozic]

It actually blocks other repository updates, or at least it looks like that - so if you have this builtin provider configured, I get no PRs opened even for other providers (it works without issues for GitHub actions updates).