Support inherited module access safety

Signed-off-by: Christian Mesh <christianmesh1@gmail.com>
2025-12-19 17:59:05 -05:00 · 2025-09-03 12:29:15 -04:00
parent 7bec408b29
commit 018c286daf
3 changed files with 19 additions and 4 deletions
--- a/internal/configs/config_build.go
+++ b/internal/configs/config_build.go
@@ -129,6 +129,17 @@ func buildChildModules(ctx context.Context, parent *Config, walker ModuleWalker)
 	}
 	sort.Strings(callNames)

+	var parentSafety *ModuleAccessSafety
+	for iter := parent; iter != nil; iter = iter.Parent {
+		parentSafety = iter.Module.Access
+		if parentSafety != nil {
+			break
+		}
+	}
+	if parentSafety != nil && *parentSafety != "tree" {
+		parentSafety = nil
+	}
+
 	for _, callName := range callNames {
 		call := calls[callName]
 		path := make([]string, len(parent.Path)+1)
@@ -143,6 +154,7 @@ func buildChildModules(ctx context.Context, parent *Config, walker ModuleWalker)
 			Parent:            parent,
 			CallRange:         call.DeclRange,
 			Call:              NewStaticModuleCall(path, call.Variables, parent.Root.Module.SourceDir, call.Workspace),
+			AccessSafety:      parentSafety,
 		}
 		if call.Source != nil {
 			// Invalid modules sometimes have a nil source field which is handled through loadModule below
@@ -307,6 +319,8 @@ type ModuleRequest struct {
 	// This is where variables and other information from the calling module
 	// are propagated to the child module for use in the static evaluator
 	Call StaticModuleCall
+
+	AccessSafety *ModuleAccessSafety
 }

 // DisabledModuleWalker is a ModuleWalker that doesn't support
--- a/internal/configs/parser_config.go
+++ b/internal/configs/parser_config.go
@@ -80,7 +80,7 @@ func (p *Parser) loadConfigFile(path string, override bool) (*File, hcl.Diagnost
 			content, contentDiags := block.Body.Content(terraformBlockSchema)
 			diags = append(diags, contentDiags...)

-			if attr, ok := content.Attributes["safety"]; ok {
+			if attr, ok := content.Attributes["access_safety"]; ok {
 				var safety ModuleAccessSafety
 				decodeDiags := gohcl.DecodeExpression(attr.Expr, nil, &safety)
 				diags = diags.Extend(decodeDiags)
@@ -342,7 +342,7 @@ var terraformBlockSchema = &hcl.BodySchema{
 		{Name: "required_version"},
 		{Name: "experiments"},
 		{Name: "language"},
-		{Name: "safety"},
+		{Name: "access_safety"},
 	},
 	Blocks: []hcl.BlockHeaderSchema{
 		{
--- a/internal/initwd/module_install.go
+++ b/internal/initwd/module_install.go
@@ -969,10 +969,11 @@ func (i *ModuleInstaller) installGoGetterModule(ctx context.Context, req *config
 		// Determine if module is safe to copy
 		// TODO sniff instead
 		mod, _ := i.loader.Parser().LoadConfigDir(modDir, req.Call)
-		if mod != nil {
+		if mod != nil && mod.Access != nil {
 			return mod.Access
 		}
-		return nil
+		// Fallback
+		return req.AccessSafety
 	}

 	// This is *NOT* safe in parallel