feat: detect unused provider aliases (#304)

bendrucker · web-flow · commit 95054a504c9f · 2025-11-10T16:46:45.000-08:00
diff --git a/docs/rules/terraform_unused_declarations.md b/docs/rules/terraform_unused_declarations.md
@@ -1,6 +1,6 @@
 # terraform_unused_declarations
 
-Disallow variables, data sources, and locals that are declared but never used.
+Disallow variables, data sources, locals, and provider aliases that are declared but never used.
 
 > This rule is enabled by "recommended" preset.
 
@@ -28,13 +28,54 @@ Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0
  
 ```
 
+Provider aliases example:
+
+```hcl
+provider "azurerm" {
+  features {}
+  alias           = "test_123"
+  subscription_id = ""
+}
+
+resource "azurerm_resource_group" "example" {
+  name     = "example-resources"
+  location = "West Europe"
+  provider = azurerm.test_123
+}
+```
+
+```
+$ tflint
+0 issue(s) found
+```
+
+Without the resource using the aliased provider:
+
+```hcl
+provider "azurerm" {
+  features {}
+  alias           = "test_123"
+  subscription_id = ""
+}
+```
+
+```
+$ tflint
+1 issue(s) found:
+
+Warning: provider "azurerm" with alias "test_123" is declared but not used (terraform_unused_declarations)
+
+  on config.tf line 1:
+   1: provider "azurerm" {
+```
+
 ## Why
 
-Terraform will ignore variables and locals that are not used. It will refresh declared data sources regardless of usage. However, unreferenced variables likely indicate either a bug (and should be referenced) or removed code (and should be removed).
+Terraform will ignore variables and locals that are not used. It will refresh declared data sources regardless of usage. However, unreferenced variables and provider aliases likely indicate either a bug (and should be referenced) or removed code (and should be removed).
 
 ## How To Fix
 
-Remove the declaration. For `variable` and `data`, remove the entire block. For a `local` value, remove the attribute from the `locals` block.
+Remove the declaration. For `variable`, `data`, and `provider` (with alias), remove the entire block. For a `local` value, remove the attribute from the `locals` block.
 
 While data sources should generally not have side effects, take greater care when removing them. For example, removing `data "http"` will cause Terraform to no longer perform an HTTP `GET` request during each plan. If a data source is being used for side effects, add an annotation to ignore it:
 
diff --git a/rules/terraform_unused_declarations.go b/rules/terraform_unused_declarations.go
@@ -4,6 +4,7 @@ import (
 	"fmt"
 
 	"github.com/hashicorp/hcl/v2"
+	"github.com/hashicorp/hcl/v2/gohcl"
 	"github.com/terraform-linters/tflint-plugin-sdk/hclext"
 	"github.com/terraform-linters/tflint-plugin-sdk/terraform/addrs"
 	"github.com/terraform-linters/tflint-plugin-sdk/terraform/lang"
@@ -18,9 +19,10 @@ type TerraformUnusedDeclarationsRule struct {
 }
 
 type declarations struct {
-	Variables     map[string]*hclext.Block
-	DataResources map[string]*hclext.Block
-	Locals        map[string]*terraform.Local
+	Variables       map[string]*hclext.Block
+	DataResources   map[string]*hclext.Block
+	Locals          map[string]*terraform.Local
+	ProviderAliases map[string]*hclext.Block
 }
 
 // NewTerraformUnusedDeclarationsRule returns a new rule
@@ -103,15 +105,31 @@ func (r *TerraformUnusedDeclarationsRule) Check(rr tflint.Runner) error {
 			return err
 		}
 	}
+	for _, provider := range decl.ProviderAliases {
+		aliasAttr := provider.Body.Attributes["alias"]
+		var aliasName string
+		if diags := gohcl.DecodeExpression(aliasAttr.Expr, nil, &aliasName); diags.HasErrors() {
+			continue
+		}
+		if err := runner.EmitIssueWithFix(
+			r,
+			fmt.Sprintf(`provider "%s" with alias "%s" is declared but not used`, provider.Labels[0], aliasName),
+			provider.DefRange,
+			func(f tflint.Fixer) error { return f.RemoveExtBlock(provider) },
+		); err != nil {
+			return err
+		}
+	}
 
 	return nil
 }
 
 func (r *TerraformUnusedDeclarationsRule) declarations(runner *terraform.Runner) (*declarations, error) {
 	decl := &declarations{
-		Variables:     map[string]*hclext.Block{},
-		DataResources: map[string]*hclext.Block{},
-		Locals:        map[string]*terraform.Local{},
+		Variables:       map[string]*hclext.Block{},
+		DataResources:   map[string]*hclext.Block{},
+		Locals:          map[string]*terraform.Local{},
+		ProviderAliases: map[string]*hclext.Block{},
 	}
 
 	body, err := runner.GetModuleContent(&hclext.BodySchema{
@@ -151,6 +169,15 @@ func (r *TerraformUnusedDeclarationsRule) declarations(runner *terraform.Runner)
 					},
 				},
 			},
+			{
+				Type:       "provider",
+				LabelNames: []string{"name"},
+				Body: &hclext.BodySchema{
+					Attributes: []hclext.AttributeSchema{
+						{Name: "alias"},
+					},
+				},
+			},
 		},
 	}, &tflint.GetModuleContentOption{ExpandMode: tflint.ExpandModeNone})
 	if err != nil {
@@ -168,6 +195,14 @@ func (r *TerraformUnusedDeclarationsRule) declarations(runner *terraform.Runner)
 				// Scoped data source addresses are unique in the module
 				decl.DataResources[fmt.Sprintf("data.%s.%s", data.Labels[0], data.Labels[1])] = data
 			}
+		case "provider":
+			// Only track providers with aliases
+			if aliasAttr, exists := block.Body.Attributes["alias"]; exists {
+				var aliasName string
+				if diags := gohcl.DecodeExpression(aliasAttr.Expr, nil, &aliasName); !diags.HasErrors() {
+					decl.ProviderAliases[fmt.Sprintf("%s.%s", block.Labels[0], aliasName)] = block
+				}
+			}
 		default:
 			panic("unreachable")
 		}
@@ -183,6 +218,13 @@ func (r *TerraformUnusedDeclarationsRule) declarations(runner *terraform.Runner)
 }
 
 func (r *TerraformUnusedDeclarationsRule) checkForRefsInExpr(expr hcl.Expression, decl *declarations) {
+	// Check for provider alias references (e.g., aws.west in provider = aws.west)
+	if traversal, diags := hcl.AbsTraversalForExpr(expr); diags == nil && len(traversal) == 2 {
+		// Provider aliases are referenced as <provider>.<alias> (2 parts)
+		providerRef := fmt.Sprintf("%s.%s", traversal.RootName(), traversal[1].(hcl.TraverseAttr).Name)
+		delete(decl.ProviderAliases, providerRef)
+	}
+
 ReferenceLoop:
 	for _, ref := range lang.ReferencesInExpr(expr) {
 		switch sub := ref.Subject.(type) {
diff --git a/rules/terraform_unused_declarations_test.go b/rules/terraform_unused_declarations_test.go
@@ -267,6 +267,156 @@ check "unused" {
 				},
 			},
 		},
+		{
+			Name: "unused provider alias",
+			Content: `
+provider "azurerm" {
+  features {}
+  alias           = "test_123"
+  subscription_id = ""
+}
+`,
+			Expected: helper.Issues{
+				{
+					Rule:    NewTerraformUnusedDeclarationsRule(),
+					Message: `provider "azurerm" with alias "test_123" is declared but not used`,
+					Range: hcl.Range{
+						Filename: "config.tf",
+						Start:    hcl.Pos{Line: 2, Column: 1},
+						End:      hcl.Pos{Line: 2, Column: 19},
+					},
+				},
+			},
+			Fixed: `
+`,
+		},
+		{
+			Name: "used provider alias in resource",
+			Content: `
+provider "azurerm" {
+  features {}
+  alias           = "test_123"
+  subscription_id = ""
+}
+
+resource "azurerm_resource_group" "example" {
+  name     = "example-resources"
+  location = "West Europe"
+  provider = azurerm.test_123
+}
+`,
+			Expected: helper.Issues{},
+		},
+		{
+			Name: "used provider alias in data source",
+			Content: `
+provider "aws" {
+  alias  = "west"
+  region = "us-west-2"
+}
+
+data "aws_ami" "example" {
+  provider    = aws.west
+  most_recent = true
+}
+
+output "ami" {
+  value = data.aws_ami.example.id
+}
+`,
+			Expected: helper.Issues{},
+		},
+		{
+			Name: "used provider alias in module",
+			Content: `
+provider "aws" {
+  alias  = "west"
+  region = "us-west-2"
+}
+
+module "example" {
+  source = "./module"
+  providers = {
+    aws = aws.west
+  }
+}
+`,
+			Expected: helper.Issues{},
+		},
+		{
+			Name: "provider without alias is not checked",
+			Content: `
+provider "aws" {
+  region = "us-east-1"
+}
+`,
+			Expected: helper.Issues{},
+		},
+		{
+			Name: "multiple provider aliases used in module providers map",
+			Content: `
+provider "aws" {
+  alias  = "east"
+  region = "us-east-1"
+}
+
+provider "aws" {
+  alias  = "west"
+  region = "us-west-2"
+}
+
+module "example" {
+  source = "./module"
+  providers = {
+    aws.primary   = aws.east
+    aws.secondary = aws.west
+  }
+}
+`,
+			Expected: helper.Issues{},
+		},
+		{
+			Name: "multiple provider aliases, one unused",
+			Content: `
+provider "aws" {
+  alias  = "east"
+  region = "us-east-1"
+}
+
+provider "aws" {
+  alias  = "west"
+  region = "us-west-2"
+}
+
+resource "aws_instance" "example" {
+  provider = aws.west
+  ami      = "ami-12345"
+}
+`,
+			Expected: helper.Issues{
+				{
+					Rule:    NewTerraformUnusedDeclarationsRule(),
+					Message: `provider "aws" with alias "east" is declared but not used`,
+					Range: hcl.Range{
+						Filename: "config.tf",
+						Start:    hcl.Pos{Line: 2, Column: 1},
+						End:      hcl.Pos{Line: 2, Column: 15},
+					},
+				},
+			},
+			Fixed: `
+
+provider "aws" {
+  alias  = "west"
+  region = "us-west-2"
+}
+
+resource "aws_instance" "example" {
+  provider = aws.west
+  ami      = "ami-12345"
+}
+`,
+		},
 	}
 
 	rule := NewTerraformUnusedDeclarationsRule()
