feat: add terraform_provider_constraints rule for strict provider validation

Adds a new rule that enforces specific provider configurations across Terraform modules.
This rule extends terraform_required_providers with strict constraint validation capabilities.

Features:
- Validate provider sources match expected values (e.g., enforce official namespaces)
- Validate version constraints using exact structural matching (via go-version)
- Restrict modules to only use providers from an allowed list
- Autofix capability to update non-compliant provider configurations

Configuration:
```hcl
rule "terraform_provider_constraints" {
  enabled = true

  # Optional: Restrict to only these providers
  allowed_providers_only = true

  providers = {
    aws = {
      source  = "hashicorp/aws"      # Validates source if specified
      version = "~> 5.0"              # Validates version constraint if specified
    }
  }
}
```

Key behaviors:
- Source and version validations are independent (only validate what's configured)
- Uses go-version's structural equality for constraints (e.g., "~> 4.0" != ">= 4.0, < 5.0")
- When allowed_providers_only=true, modules can only use providers in the configured list
- Ignores the builtin "terraform" provider

Use cases:
- Monorepo provider coordination during major upgrades
- Enforcing organizational standards for provider sources
- Ensuring consistent version constraint patterns across modules
- Automated compliance via tflint --fix

This addresses provider version management challenges in large-scale Terraform environments
where coordinated upgrades and consistent standards are essential.

Author: rorychatterton

docs/rules/terraform_required_providers.md

@@ -1,6 +1,6 @@
 # terraform_required_providers
 
-Require that all providers specify a `source` and `version` constraint through `required_providers`.
+Require that all providers specify a `source` and `version` constraint through `required_providers`. This rule can also enforce specific provider constraints and restrict which providers can be used.
 
 > This rule is enabled by "recommended" preset.
 
@@ -13,9 +13,39 @@ rule "terraform_required_providers" {
   # defaults
   source = true
   version = true
+
+  # Optional: Set to true to only allow listed providers
+  provider_whitelist = false
+
+  # Optional: Define constraints for specific providers
+  providers = {
+    aws = {
+      source  = "hashicorp/aws"     # Require official AWS provider
+      version = "~> 5.0"             # Require version 5.x
+    }
+    azurerm = {
+      source  = "hashicorp/azurerm"  # Require official Azure provider
+      version = "~> 3.0"             # Require version 3.x
+    }
+  }
 }
 ```
 
+## Configuration Options
+
+### Basic Options
+
+- **`source`** (boolean, default: true): Require all providers to specify a source attribute
+- **`version`** (boolean, default: true): Require all providers to specify a version constraint
+
+### Advanced Options
+
+- **`provider_whitelist`** (boolean, default: false): When set to `true`, modules can only use providers that are explicitly defined in your `providers` configuration. This creates an "allowlist" of approved providers.
+
+- **`providers`** (map, default: {}): Defines specific constraints for each provider. For each provider, you can specify:
+  - **`source`** (optional): The required source address (e.g., `"hashicorp/aws"`)
+  - **`version`** (optional): The required version constraint pattern (e.g., `"~> 5.0"`)
+
 ## Examples
 
 ```hcl
@@ -139,3 +169,98 @@ terraform {
 Provider version constraints can be specified using a [version argument within a provider block](https://developer.hashicorp.com/terraform/language/providers/configuration#provider-versions) for backwards compatibility. This approach is now discouraged, particularly for child modules.
 
 Optionally, you can disable enforcement of either `source` or `version` by setting the corresponding attribute in the rule configuration to `false`.
+
+### Provider Constraints Examples
+
+#### Enforcing Version Constraints
+
+**Rule Configuration:**
+```hcl
+rule "terraform_required_providers" {
+  enabled = true
+  providers = {
+    aws = {
+      version = "~> 5.0"  # All modules must use this exact pattern
+    }
+  }
+}
+```
+
+**Problem Code:**
+```hcl
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 5.0, < 6.0"  # Different pattern, but similar effect
+    }
+  }
+}
+```
+
+**Error Message:**
+```
+Error: Provider "aws" version constraint does not match expected (expected: "~> 5.0", found: ">= 5.0, < 6.0")
+```
+
+The rule requires the exact pattern `"~> 5.0"`, not just any constraint that accepts version 5.x.
+
+#### Enforcing Provider Sources
+
+**Rule Configuration:**
+```hcl
+rule "terraform_required_providers" {
+  enabled = true
+  providers = {
+    aws = {
+      source  = "hashicorp/aws"  # Must use official HashiCorp source
+    }
+  }
+}
+```
+
+**Problem Code:**
+```hcl
+terraform {
+  required_providers {
+    aws = {
+      source  = "custom/aws"  # Using a potentially unsafe custom source
+      version = "~> 5.0"
+    }
+  }
+}
+```
+
+**Error Message:**
+```
+Error: Provider "aws" has incorrect source (expected: "hashicorp/aws", found: "custom/aws")
+```
+
+#### Restricting to Approved Providers
+
+**Rule Configuration:**
+```hcl
+rule "terraform_required_providers" {
+  enabled = true
+  provider_whitelist = true  # Only allow listed providers
+
+  providers = {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.0"
+    }
+  }
+}
+```
+
+**Terraform Code:**
+```hcl
+resource "random_string" "example" {  # Using unapproved provider
+  length = 16
+}
+```
+
+**Result:**
+```
+Error: Provider "random" is not in the allowed provider list
+```