detect non-matching variable fields when optional types are used

[RobertBlumen]

Terraform Version

Terraform v1.2.1
on darwin_arm64

Use Cases

I have a var def like this:

variable vm {
  type = object({
    size: optional(number)
    name: optional(string)
  })
}

A user can easily spell a field name incorrectly or refer to a field name that was changed to a new name, e.g. in terraform.tfvars. This can lead to a situation where the user believes that they have initialized a field to a value when they have not done so. There is no error message because it being an optional field, not initializing the field is a valid input.

Suppose the user enters an incorrect input such as:

vm = {
  size: 45
  xame: "foo"
}

I can not find a way to get the field names from the var definition to validate that there are no incorrect field names.

Attempted Solutions

keys(var.vm) returns [ size, name ]

Proposal

When a var value is used to initialize a var containing optional fields, the non-matching fields are made available in a method, e.g. original_keys() or nonmatching_keys() - something like this:

original_keys(var.vm) == [ "size", "xame" ]
The function's return value would be accessible within a validation {} block to check that the field names match. Another option would be to add some metadata to require a strict match of the value in terraform.tfvars to the optional fields that would result in a validation error if a field name was not matched.

variable vm {
  type = object({
    size: optional(number)
    name: optional(string)
  }, 
  @match=strict)
}

References

No response

[crw]

Thanks for this request!

[jbardin]

Hi @RobertBlumen,

Thanks for the feature request!. The ability to assign objects containing a superset of attributes to a variable input is by design, so that objects outside of a module can evolve over time, while a module has the ability to define only what it needs for its own operations.

There is no way to get the attribute names from the object being assigned outside of the module, because the type within the module does not define those attributes. Perhaps though a strict mode of assignment where the type must match exactly could be implemented.

The idea however is complicated by how types are usually inferred rather than always explicitly declared within Terraform. The canonical example here would be that a module wanted only strict input types, and a user assigns the compatible resource value to that input. A minor update by the provider adding a new attribute to that resource would then make the module incompatible, complicating the ability to write modules for a range of required providers. We also need to take into account what would happen with nested module defining strict input types, when the user only has access to outer modules. The input values may be sufficiently disconnected from the problematic assignment, as to prevent easy remediation of the problem by the user.

[RobertBlumen]

Hi @jbardin If this would break the type system to make it required, I wonder if it would be possible to make these type mismatches available through some other command or option e.g.

terraform validate-2
terraform validate --strict-matching

or even put something in the output that could be parsed indicating the field names that were not matched to a field in the variable.

[jbardin]

Merging with #29204 which has more details.

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.