Add "expr" type as a schema type

wata727 · wata727 · commit bfbc70117637 · 2025-07-06T16:15:22.000Z
diff --git a/opa/conversion.go b/opa/conversion.go
@@ -4,6 +4,7 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"reflect"
 
 	"github.com/hashicorp/hcl/v2"
 	"github.com/hashicorp/hcl/v2/ext/typeexpr"
@@ -24,6 +25,10 @@ var schemaTy = types.NewObject(
 	types.NewDynamicProperty(types.S, types.A),
 )
 
+// Capsule type corresponding to "expr" in the extended schema type syntax.
+// It is not intended as a general capsule type in the cty type system, but acts as the identifier for the keyword.
+var exprCty cty.Type = cty.Capsule("expr", reflect.TypeOf((*hcl.Expression)(nil)))
+
 func jsonToSchema(in map[string]any, tyMap map[string]cty.Type, path string) (*hclext.BodySchema, map[string]cty.Type, error) {
 	schema := &hclext.BodySchema{}
 
@@ -32,13 +37,19 @@ func jsonToSchema(in map[string]any, tyMap map[string]cty.Type, path string) (*h
 
 		switch cv := v.(type) {
 		case string:
-			expr, diags := hclsyntax.ParseExpression([]byte(cv), "", hcl.InitialPos)
-			if diags.HasErrors() {
-				return schema, tyMap, fmt.Errorf("type expr parse error in %s; %s", key, withoutSubject(diags))
-			}
-			ty, diags := typeexpr.TypeConstraint(expr)
-			if diags.HasErrors() {
-				return schema, tyMap, fmt.Errorf("type constraint parse error in %s; %s", key, withoutSubject(diags))
+			var ty cty.Type
+			if cv == "expr" {
+				// "expr" is a special type that allows you to get the raw expression without evaluating it.
+				ty = exprCty
+			} else {
+				expr, diags := hclsyntax.ParseExpression([]byte(cv), "", hcl.InitialPos)
+				if diags.HasErrors() {
+					return schema, tyMap, fmt.Errorf("type expr parse error in %s; %s", key, withoutSubject(diags))
+				}
+				ty, diags = typeexpr.TypeConstraint(expr)
+				if diags.HasErrors() {
+					return schema, tyMap, fmt.Errorf("type constraint parse error in %s; %s", key, withoutSubject(diags))
+				}
 			}
 			tyMap[key] = ty
 
@@ -277,7 +288,36 @@ var exprTy = types.NewObject(
 	nil,
 )
 
+// expr (object<expr: string, range: range>) representation of a raw expression
+var rawExprTy = types.NewObject(
+	[]*types.StaticProperty{
+		types.NewStaticProperty("value", types.S),
+		types.NewStaticProperty("range", rangeTy),
+	},
+	nil,
+)
+
 func exprToJSON(expr hcl.Expression, tyMap map[string]cty.Type, path string, runner tflint.Runner) (map[string]any, error) {
+	ty, exists := tyMap[path]
+	if !exists {
+		// should never happen
+		panic(fmt.Sprintf("cannot get type of %s", path))
+	}
+	// For the "expr" type, the expression is not evaluated
+	// and the "value" is the raw expression syntax.
+	if ty == exprCty {
+		file, err := runner.GetFile(expr.Range().Filename)
+		if err != nil {
+			return map[string]any{}, fmt.Errorf("type error in %s; %w", expr.Range(), err)
+		}
+		// "unknown", "sensitive", and "ephemeral" are undefined
+		// because the "value" has not been evaluated.
+		return map[string]any{
+			"value": string(expr.Range().SliceBytes(file.Bytes)),
+			"range": rangeToJSON(expr.Range()),
+		}, nil
+	}
+
 	ret := map[string]any{
 		"unknown":   false,
 		"sensitive": false,
@@ -311,17 +351,11 @@ func exprToJSON(expr hcl.Expression, tyMap map[string]cty.Type, path string, run
 		return ret, nil
 	}
 
-	ty, exists := tyMap[path]
-	if !exists {
-		// should never happen
-		panic(fmt.Sprintf("cannot get type of %s", path))
-	}
 	if ty.HasDynamicTypes() {
 		// If a type has "any", it will be converted to JSON as a dynamic type, (e.g. {"value": 1, "type": "number"})
 		// so it will take advantage of the inferred type.
 		ty = value.Type()
 	}
-
 	value, err = convert.Convert(value, ty)
 	if err != nil {
 		return ret, fmt.Errorf("type error in %s; %w", expr.Range(), err)
diff --git a/opa/functions.go b/opa/functions.go
@@ -32,6 +32,7 @@ func Functions(runner tflint.Runner) []func(*rego.Rego) {
 		removedBlocksFunc(runner).asOption(),
 		ephemeralResourcesFunc(runner).asOption(),
 		moduleRangeFunc(runner).asOption(),
+		exprList(runner).asOption(),
 		issueFunc().asOption(),
 	}
 }
@@ -53,6 +54,7 @@ func TesterFunctions(runner tflint.Runner) []*tester.Builtin {
 		removedBlocksFunc(runner).asTester(),
 		ephemeralResourcesFunc(runner).asTester(),
 		moduleRangeFunc(runner).asTester(),
+		exprList(runner).asTester(),
 		issueFunc().asTester(),
 	}
 }
@@ -642,6 +644,56 @@ func moduleRangeFunc(runner tflint.Runner) *functionDyn {
 	}
 }
 
+// hcl.expr_list: exprs = hcl.expr_list(expr)
+//
+// Extracts a list of expressions from the given static list expression.
+// This is equivalent to hcl.ExprList in hashicorp/hcl.
+//
+//	expr (expr) static list expression. Typically this is the value of the attribute retrieved by the terraform functions.
+//
+// Returns:
+//
+//	exprs (array[expr]) list of expressions
+func exprList(runner tflint.Runner) *function1 {
+	return &function1{
+		function: function{
+			Decl: &rego.Function{
+				Name:    "hcl.expr_list",
+				Decl:    types.NewFunction(types.Args(rawExprTy), types.NewArray(nil, rawExprTy)),
+				Memoize: true,
+			},
+		},
+		Func: func(_ rego.BuiltinContext, exprArg *ast.Term) (*ast.Term, error) {
+			expr, err := astAsExpr(exprArg)
+			if err != nil {
+				return nil, err
+			}
+			file, err := runner.GetFile(expr.Range().Filename)
+			if err != nil {
+				return nil, fmt.Errorf("cannot get file %s: %w", expr.Range().Filename, err)
+			}
+
+			exprs, diags := hcl.ExprList(expr)
+			if diags.HasErrors() {
+				return nil, diags
+			}
+			ret := make([]map[string]any, len(exprs))
+			for i, e := range exprs {
+				ret[i] = map[string]any{
+					"value": string(e.Range().SliceBytes(file.Bytes)),
+					"range": rangeToJSON(e.Range()),
+				}
+			}
+
+			v, err := ast.InterfaceToValue(ret)
+			if err != nil {
+				return nil, err
+			}
+			return ast.NewTerm(v), nil
+		},
+	}
+}
+
 // tflint.issue: issue := tflint.issue(msg, range)
 //
 // Returns issue object
@@ -810,6 +862,37 @@ func blockFunc(schemaArg *ast.Term, optionArg *ast.Term, blockType string, runne
 	return ast.NewTerm(v), nil
 }
 
+func astAsExpr(v *ast.Term) (hcl.Expression, error) {
+	var exprMap map[string]any
+	if err := ast.As(v.Value, &exprMap); err != nil {
+		return nil, err
+	}
+
+	value, ok := exprMap["value"]
+	if !ok {
+		return nil, fmt.Errorf("expr must have a 'value' key")
+	}
+	valueStr, ok := value.(string)
+	if !ok {
+		return nil, fmt.Errorf("expr value must be a string")
+	}
+
+	rngArg, ok := exprMap["range"]
+	if !ok {
+		return nil, fmt.Errorf("expr must have a 'range' key")
+	}
+	rng, err := jsonToRange(rngArg, "expr.range")
+	if err != nil {
+		return nil, err
+	}
+
+	expr, diags := hclext.ParseExpression([]byte(valueStr), rng.Filename, rng.Start)
+	if diags.HasErrors() {
+		return nil, diags
+	}
+	return expr, nil
+}
+
 type function struct {
 	Decl *rego.Function
 }
