Skip to content

feat: support Terraform override files in template preview#196

Merged
geokat merged 21 commits intomainfrom
george/override-file-support-pre-eval
Mar 23, 2026
Merged

feat: support Terraform override files in template preview#196
geokat merged 21 commits intomainfrom
george/override-file-support-pre-eval

Conversation

@geokat
Copy link
Contributor

@geokat geokat commented Mar 4, 2026
edited
Loading

Implements https://developer.hashicorp.com/terraform/language/files/override (override.tf, *_override.tf) by merging override content into primary .tf files before Trivy evaluation.

Block merging

  • Override attributes replace primary attributes; override child blocks replace all primary blocks of the same type - matching Terraform's behavior
  • locals blocks are merged at the individual attribute level across all primary files, matching Terraform's per-attribute semantics
  • terraform blocks in overrides are skipped with a warning - their override semantics are too nuanced to replicate correctly
  • Empty inline blocks (e.g. variable "x" {}) are handled correctly by forcing multi-line formatting before attribute insertion
  • Unmatched override blocks (no corresponding primary) produce an error, matching Terraform's behavior

Filesystem layer

  • overrideFS wraps the base FS, serving merged content for modified primaries and hiding consumed override files so Trivy sees clean, post-merge HCL
  • filteredDir wraps directory listings to exclude hidden override files while maintaining the fs.ReadDirFile contract
  • .tf.json files are left in the FS for Trivy to parse natively but excluded from override merging (with warnings)

How it works

  1. mergeOverrides walks the filesystem, separating primary and override files per directory
  2. Override files are processed sequentially in lexicographic order, each merging into the already-merged primary using hclwrite
  3. The resulting overrideFS serves merged primary files and hides override files
  4. No-op when no override files are present - the original FS is returned unchanged
  5. All override errors are downgraded to warnings in preview.go so they never abort the preview

Related to: coder/coder#21991

image

geokat added 2 commits March 3, 2026 18:06
@geokat
feat: support Terraform override files in template preview
9510bb8 
Implement Terraform's override file semantics (override.tf, *_override.tf)
by merging override blocks into primary files before evaluation.

Related to: coder/coder#21991
@geokat
Update/add comments
1c41920
@geokat geokat marked this pull request as ready for review March 4, 2026 02:38
@geokat geokat requested a review from Emyrk March 4, 2026 02:38
Emyrk
Emyrk reviewed Mar 5, 2026
View reviewed changes
@geokat geokat marked this pull request as draft March 10, 2026 17:27
geokat added 16 commits March 17, 2026 16:56
@geokat
Merge branch 'main' into george/override-file-support-pre-eval
4cc3c8a
@geokat
Ignore .tf.json files; turn any override merge errors into warnings
08e50d1
@geokat
cleanup
2984dba
@geokat
locals blocks support (special case)
29c79e5
@geokat
detect duplicate primary blocks before override merging
6b93ea8
@geokat
skip terraform blocks in duplicate primary check
a892a8f
@geokat
add locals and terraform overrides to e2e override test fixture
3b44b0a
@geokat
cleanup
8e10cfc
@geokat
fix: handle empty inline blocks in override merging
9082b37
@geokat
more tests
dc30e62
@geokat
note about locals{}: (dis)similar to variable "x" {}
4bcf982
@geokat
var naming
6f60587
@geokat
overridefs stat error handling and readdir contract compliance
ab9a741
@geokat
better error reporting and other small fixes
4f6f193
@geokat
Remove duplicate primary check and skip 'terraform' blocks for merging
a9c1e25 
Override merging should not be stricter than Trivy, which accepts
duplicate blocks without error. Additionally, replicating Terraform's
duplicate detection correctly requires per-block-type semantics —
complexity that isn't justified for something that's not our
responsibility.  Invalid duplicates will still be caught by `terraform
plan`.

'terraform' block overrides are rare and the merging semantics are not
straightforward, so we just skip them for now (with a warning).
@geokat
fixup error messages
7993cb4
@geokat geokat marked this pull request as ready for review March 23, 2026 03:56
@geokat geokat requested a review from Emyrk March 23, 2026 03:56
Emyrk
Emyrk approved these changes Mar 23, 2026
View reviewed changes
Copy link
Member

@Emyrk Emyrk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The fallback behavior if it fails is great 👍

override.go
Comment on lines +62 to +68
if ext == ".tf.json" {
if isOverrideFile(d.Name()) {
warnings = warnings.Append(&hcl.Diagnostic{
Severity: hcl.DiagWarning,
Summary: "Unmerged .tf.json override file",
Detail: fmt.Sprintf("Not merging override file %q that uses JSON format", p),
})
Copy link
Member

@Emyrk Emyrk Mar 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

preview.go
Comment on lines +165 to +166
// Override merging is best-effort; downgrade all override error
// diagnostics to warnings so they never abort the preview.
Copy link
Member

@Emyrk Emyrk Mar 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@geokat geokat merged commit 2b53f0c into main Mar 23, 2026
3 checks passed
@geokat geokat deleted the george/override-file-support-pre-eval branch March 23, 2026 16:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Emyrk Emyrk Emyrk approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@geokat @Emyrk