Extend hcl2 support with more functions

Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>

bake/hcl.go

@@ -4,7 +4,13 @@ import (
 	"os"
 	"strings"
 
+	"github.com/hashicorp/go-cty-funcs/cidr"
+	"github.com/hashicorp/go-cty-funcs/crypto"
+	"github.com/hashicorp/go-cty-funcs/encoding"
+	"github.com/hashicorp/go-cty-funcs/uuid"
 	hcl "github.com/hashicorp/hcl/v2"
+	"github.com/hashicorp/hcl/v2/ext/tryfunc"
+	"github.com/hashicorp/hcl/v2/ext/typeexpr"
 	"github.com/hashicorp/hcl/v2/ext/userfunc"
 	"github.com/hashicorp/hcl/v2/hclsimple"
 	"github.com/hashicorp/hcl/v2/hclsyntax"
@@ -23,17 +29,26 @@ var (
 		"absolute":               stdlib.AbsoluteFunc,
 		"add":                    stdlib.AddFunc,
 		"and":                    stdlib.AndFunc,
+		"base64decode":           encoding.Base64DecodeFunc,
+		"base64encode":           encoding.Base64EncodeFunc,
+		"bcrypt":                 crypto.BcryptFunc,
 		"byteslen":               stdlib.BytesLenFunc,
 		"bytesslice":             stdlib.BytesSliceFunc,
+		"can":                    tryfunc.CanFunc,
+		"ceil":                   stdlib.CeilFunc,
 		"chomp":                  stdlib.ChompFunc,
 		"chunklist":              stdlib.ChunklistFunc,
-		"ceil":                   stdlib.CeilFunc,
+		"cidrhost":               cidr.HostFunc,
+		"cidrnetmask":            cidr.NetmaskFunc,
+		"cidrsubnet":             cidr.SubnetFunc,
+		"cidrsubnets":            cidr.SubnetsFunc,
 		"csvdecode":              stdlib.CSVDecodeFunc,
 		"coalesce":               stdlib.CoalesceFunc,
 		"coalescelist":           stdlib.CoalesceListFunc,
 		"compact":                stdlib.CompactFunc,
 		"concat":                 stdlib.ConcatFunc,
 		"contains":               stdlib.ContainsFunc,
+		"convert":                typeexpr.ConvertFunc,
 		"distinct":               stdlib.DistinctFunc,
 		"divide":                 stdlib.DivideFunc,
 		"element":                stdlib.ElementFunc,
@@ -60,6 +75,7 @@ var (
 		"lookup":                 stdlib.LookupFunc,
 		"lower":                  stdlib.LowerFunc,
 		"max":                    stdlib.MaxFunc,
+		"md5":                    crypto.Md5Func,
 		"merge":                  stdlib.MergeFunc,
 		"min":                    stdlib.MinFunc,
 		"modulo":                 stdlib.ModuloFunc,
@@ -73,13 +89,18 @@ var (
 		"range":                  stdlib.RangeFunc,
 		"regexall":               stdlib.RegexAllFunc,
 		"regex":                  stdlib.RegexFunc,
+		"regex_replace":          stdlib.RegexReplaceFunc,
 		"reverse":                stdlib.ReverseFunc,
 		"reverselist":            stdlib.ReverseListFunc,
+		"rsadecrypt":             crypto.RsaDecryptFunc,
 		"sethaselement":          stdlib.SetHasElementFunc,
 		"setintersection":        stdlib.SetIntersectionFunc,
 		"setsubtract":            stdlib.SetSubtractFunc,
 		"setsymmetricdifference": stdlib.SetSymmetricDifferenceFunc,
 		"setunion":               stdlib.SetUnionFunc,
+		"sha1":                   crypto.Sha1Func,
+		"sha256":                 crypto.Sha256Func,
+		"sha512":                 crypto.Sha512Func,
 		"signum":                 stdlib.SignumFunc,
 		"slice":                  stdlib.SliceFunc,
 		"sort":                   stdlib.SortFunc,
@@ -93,7 +114,11 @@ var (
 		"trimprefix":             stdlib.TrimPrefixFunc,
 		"trimspace":              stdlib.TrimSpaceFunc,
 		"trimsuffix":             stdlib.TrimSuffixFunc,
+		"try":                    tryfunc.TryFunc,
 		"upper":                  stdlib.UpperFunc,
+		"urlencode":              encoding.URLEncodeFunc,
+		"uuidv4":                 uuid.V4Func,
+		"uuidv5":                 uuid.V5Func,
 		"values":                 stdlib.ValuesFunc,
 		"zipmap":                 stdlib.ZipmapFunc,
 	}

go.mod

@@ -24,11 +24,12 @@ require (
 	github.com/erikstmartin/go-testdb v0.0.0-20160219214506-8d10e4a1bae5 // indirect
 	github.com/fvbommel/sortorder v1.0.1 // indirect
 	github.com/gofrs/flock v0.7.3
-	github.com/gofrs/uuid v3.2.0+incompatible // indirect
+	github.com/gofrs/uuid v3.3.0+incompatible // indirect
 	github.com/google/certificate-transparency-go v1.0.21 // indirect
 	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510
 	github.com/hailocab/go-hostpool v0.0.0-20160125115350-e80d13ce29ed // indirect
-	github.com/hashicorp/hcl/v2 v2.6.0
+	github.com/hashicorp/go-cty-funcs v0.0.0-20200930094925-2721b1e36840
+	github.com/hashicorp/hcl/v2 v2.8.1
 	github.com/jinzhu/gorm v1.9.2 // indirect
 	github.com/jinzhu/inflection v0.0.0-20180308033659-04140366298a // indirect
 	github.com/jinzhu/now v1.0.0 // indirect
@@ -48,8 +49,8 @@ require (
 	github.com/theupdateframework/notary v0.6.1 // indirect
 	github.com/tonistiigi/units v0.0.0-20180711220420-6950e57a87ea
 	github.com/xeipuuv/gojsonschema v1.2.0 // indirect
-	github.com/zclconf/go-cty v1.4.0
-	golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208
+	github.com/zclconf/go-cty v1.7.1
+	golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9
 	gopkg.in/dancannon/gorethink.v3 v3.0.5 // indirect
 	gopkg.in/fatih/pool.v2 v2.0.0 // indirect
 	gopkg.in/gorethink/gorethink.v3 v3.0.5 // indirect

go.sum

@@ -140,6 +140,9 @@ github.com/apex/log v1.3.0/go.mod h1:jd8Vpsr46WAe3EZSQ/IUMs2qQD/GOycT5rPWCO1yGcs
 github.com/apex/logs v0.0.4/go.mod h1:XzxuLZ5myVHDy9SAmYpamKKRNApGj54PfYLcFrXqDwo=
 github.com/aphistic/golf v0.0.0-20180712155816-02c07f170c5a/go.mod h1:3NqKYiepwy8kCu4PNA+aP7WUV72eXWJeP9/r3/K9aLE=
 github.com/aphistic/sweet v0.2.0/go.mod h1:fWDlIh/isSE9n6EPsRmC0det+whmX6dJid3stzu0Xys=
+github.com/apparentlymart/go-cidr v1.0.1 h1:NmIwLZ/KdsjIUlhf+/Np40atNXm/+lZ5txfTJ/SpF+U=
+github.com/apparentlymart/go-cidr v1.0.1/go.mod h1:EBcsNrHc3zQeuaeCeCtQruQm+n9/YjEn/vI25Lg7Gwc=
+github.com/apparentlymart/go-dump v0.0.0-20180507223929-23540a00eaa3 h1:ZSTrOEhiM5J5RFxEaFvMZVEAM1KvT1YzbEOwB2EAGjA=
 github.com/apparentlymart/go-dump v0.0.0-20180507223929-23540a00eaa3/go.mod h1:oL81AME2rN47vu18xqj1S1jPIPuN7afo62yKTNn3XMM=
 github.com/apparentlymart/go-textseg v1.0.0 h1:rRmlIsPEEhUTIKQb7T++Nz/A5Q6C9IuX2wFoYVvnCs0=
 github.com/apparentlymart/go-textseg v1.0.0/go.mod h1:z96Txxhf3xSFMPmb5X/1W05FF/Nj9VFpLOpjS5yuumk=
@@ -174,6 +177,7 @@ github.com/bketelsen/crypt v0.0.3-0.20200106085610-5cbc8cc4026c/go.mod h1:MKsuJm
 github.com/blakesmith/ar v0.0.0-20190502131153-809d4375e1fb/go.mod h1:PkYb9DJNAwrSvRx5DYA+gUcOIgTGVMNkfSCbZM8cWpI=
 github.com/blang/semver v3.1.0+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk=
 github.com/blang/semver v3.5.0+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk=
+github.com/bmatcuk/doublestar v1.1.5/go.mod h1:wiQtGV+rzVYxB7WIlirSN++5HPtPlXEo9MEoZQC/PmE=
 github.com/bmizerany/assert v0.0.0-20160611221934-b7ed37b82869 h1:DDGfHa7BWjL4YnC6+E63dPcxHo2sUxDIu8g3QgEJdRY=
 github.com/bmizerany/assert v0.0.0-20160611221934-b7ed37b82869/go.mod h1:Ekp36dRnpXw/yCqJaO+ZrUyxD+3VXMFFr56k5XYrpB4=
 github.com/bombsimon/wsl/v2 v2.0.0/go.mod h1:mf25kr/SqFEPhhcxW1+7pxzGlW+hIl/hYTKY95VwV8U=
@@ -421,8 +425,8 @@ github.com/godbus/dbus/v5 v5.0.3/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5x
 github.com/gofrs/flock v0.0.0-20190320160742-5135e617513b/go.mod h1:F1TvTiK9OcQqauNUHlbJvyl9Qa1QvF/gOUDKA14jxHU=
 github.com/gofrs/flock v0.7.3 h1:I0EKY9l8HZCXTMYC4F80vwT6KNypV9uYKP3Alm/hjmQ=
 github.com/gofrs/flock v0.7.3/go.mod h1:F1TvTiK9OcQqauNUHlbJvyl9Qa1QvF/gOUDKA14jxHU=
-github.com/gofrs/uuid v3.2.0+incompatible h1:y12jRkkFxsd7GpqdSZ+/KCs/fJbqpEXSGd4+jfEaewE=
-github.com/gofrs/uuid v3.2.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM=
+github.com/gofrs/uuid v3.3.0+incompatible h1:8K4tyRfvU1CYPgJsveYFQMhpFd/wXNM7iK6rR7UHz84=
+github.com/gofrs/uuid v3.3.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM=
 github.com/gogo/googleapis v1.2.0/go.mod h1:Njal3psf3qN6dwBtQfUmBZh2ybovJ0tlu3o/AC7HYjU=
 github.com/gogo/googleapis v1.3.2 h1:kX1es4djPJrsDhY7aZKJy7aZasdcB5oSOEphMjSB53c=
 github.com/gogo/googleapis v1.3.2/go.mod h1:5YRNX2z1oM5gXdAkurHa942MDgEJyk02w4OecKY87+c=
@@ -564,6 +568,8 @@ github.com/hashicorp/consul/sdk v0.1.1/go.mod h1:VKf9jXwCTEY1QZP2MOLRhb5i/I/ssyN
 github.com/hashicorp/errwrap v0.0.0-20141028054710-7554cd9344ce/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
 github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
 github.com/hashicorp/go-cleanhttp v0.5.1/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80=
+github.com/hashicorp/go-cty-funcs v0.0.0-20200930094925-2721b1e36840 h1:kgvybwEeu0SXktbB2y3uLHX9lklLo+nzUwh59A3jzQc=
+github.com/hashicorp/go-cty-funcs v0.0.0-20200930094925-2721b1e36840/go.mod h1:Abjk0jbRkDaNCzsRhOv2iDCofYpX1eVsjozoiK63qLA=
 github.com/hashicorp/go-hclog v0.9.2/go.mod h1:5CU+agLiy3J7N7QjHK5d05KxGsuXiQLrjA0H7acj2lQ=
 github.com/hashicorp/go-immutable-radix v1.0.0/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60=
 github.com/hashicorp/go-msgpack v0.5.3/go.mod h1:ahLV/dePpqEmjfWmKiqvPkv/twdG7iPBM1vqhUKIvfM=
@@ -584,8 +590,8 @@ github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ
 github.com/hashicorp/golang-lru v0.5.3/go.mod h1:iADmTwqILo4mZ8BN3D2Q6+9jd8WM5uGBxy+E8yxSoD4=
 github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4=
 github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ=
-github.com/hashicorp/hcl/v2 v2.6.0 h1:3krZOfGY6SziUXa6H9PJU6TyohHn7I+ARYnhbeNBz+o=
-github.com/hashicorp/hcl/v2 v2.6.0/go.mod h1:bQTN5mpo+jewjJgh8jr0JUguIi7qPHUF6yIfAEN3jqY=
+github.com/hashicorp/hcl/v2 v2.8.1 h1:FJ60CIYaMyJOKzPndhMyjiz353Fd+2jr6PodF5Xzb08=
+github.com/hashicorp/hcl/v2 v2.8.1/go.mod h1:bQTN5mpo+jewjJgh8jr0JUguIi7qPHUF6yIfAEN3jqY=
 github.com/hashicorp/logutils v1.0.0/go.mod h1:QIAnNjmIWmVIIkWDTG1z5v++HQmx9WQRO+LraFDTW64=
 github.com/hashicorp/mdns v1.0.0/go.mod h1:tL+uN++7HEJ6SQLQ2/p+z2pH24WQKWjBPkE0mNTz8vQ=
 github.com/hashicorp/memberlist v0.1.3/go.mod h1:ajVTdAv/9Im8oMAAj5G31PhhMCZJV2pPBoIllUwCN7I=
@@ -1004,6 +1010,8 @@ github.com/vishvananda/netlink v1.1.0/go.mod h1:cTgwzPIzzgDAYoQrMm0EdrjRUBkTqKYp
 github.com/vishvananda/netns v0.0.0-20191106174202-0a2b9b5464df h1:OviZH7qLw/7ZovXvuNyL3XQl8UFofeikI1NW1Gypu7k=
 github.com/vishvananda/netns v0.0.0-20191106174202-0a2b9b5464df/go.mod h1:JP3t17pCcGlemwknint6hfoeCVQrEMVwxRLRjXpq+BU=
 github.com/vmihailenco/msgpack v3.3.3+incompatible/go.mod h1:fy3FlTQTDXWkZ7Bh6AcGMlsjHatGryHQYUTf1ShIgkk=
+github.com/vmihailenco/msgpack/v4 v4.3.12/go.mod h1:gborTTJjAo/GWTqqRjrLCn9pgNN+NXzzngzBKDPIqw4=
+github.com/vmihailenco/tagparser v0.1.1/go.mod h1:OeAg3pn3UbLjkWt+rN9oFYB6u/cQgqMEUPoW2WPyhdI=
 github.com/vmware/govmomi v0.20.3/go.mod h1:URlwyTFZX72RmxtxuaFL2Uj3fD1JTvZdx59bHWk6aFU=
 github.com/willf/bitset v1.1.11-0.20200630133818-d5bec3311243 h1:R43TdZy32XXSXjJn7M/HhALJ9imq6ztLnChfYJpVDnM=
 github.com/willf/bitset v1.1.11-0.20200630133818-d5bec3311243/go.mod h1:RjeCKbqT1RxIR/KWY6phxZiaY1IyutSBfGjNPySAYV4=
@@ -1026,8 +1034,9 @@ github.com/yvasiyarov/go-metrics v0.0.0-20140926110328-57bccd1ccd43/go.mod h1:aX
 github.com/yvasiyarov/gorelic v0.0.0-20141212073537-a9bba5b9ab50/go.mod h1:NUSPSUX/bi6SeDMUh6brw0nXpxHnc96TguQh0+r/ssA=
 github.com/yvasiyarov/newrelic_platform_go v0.0.0-20140908184405-b21fdbd4370f/go.mod h1:GlGEuHIJweS1mbCqG+7vt2nvWLzLLnRHbXz5JKd/Qbg=
 github.com/zclconf/go-cty v1.2.0/go.mod h1:hOPWgoHbaTUnI5k4D2ld+GRpFJSCe6bCM7m1q/N4PQ8=
-github.com/zclconf/go-cty v1.4.0 h1:+q+tmgyUB94HIdH/uVTIi/+kt3pt4sHwEZAcTyLoGsQ=
 github.com/zclconf/go-cty v1.4.0/go.mod h1:nHzOclRkoj++EU9ZjSrZvRG0BXIWt8c7loYc0qXAFGQ=
+github.com/zclconf/go-cty v1.7.1 h1:AvsC01GMhMLFL8CgEYdHGM+yLnnDOwhPAYcgTkeF0Gw=
+github.com/zclconf/go-cty v1.7.1/go.mod h1:VDR4+I79ubFBGm1uJac1226K5yANQFHeauxPBoP54+o=
 go.etcd.io/bbolt v1.3.2/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU=
 go.etcd.io/bbolt v1.3.3/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU=
 go.etcd.io/bbolt v1.3.5 h1:XAzx9gjCb0Rxj7EoqcClPD1d5ZBxZJk0jbuoPHenBt0=
@@ -1066,6 +1075,7 @@ golang.org/x/crypto v0.0.0-20191002192127-34f69633bfdc/go.mod h1:yigFU9vqHzYiE8U
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20191206172530-e9b2fee46413/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20200220183623-bac4c82f6975/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/crypto v0.0.0-20200422194213-44a606286825/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9 h1:psW17arqaxU48Z5kZ0CQnkZWQJsqcURM6tKiBApRjXI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20201117144127-c1f2f97bffc9 h1:phUcVbl53swtrUN8kQEXFhUxPlIlWyBfKmidCu7P95o=
@@ -1169,6 +1179,8 @@ golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208 h1:qwRHBd0NqMbJxfbotnDhm2ByMI1Shq4Y6oRJo21SGJA=
 golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9 h1:SQFwaSi55rU7vdNs9Yr0Z324VNlrF+0wMqRXT4St8ck=
+golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sys v0.0.0-20170830134202-bb24a47a89ea/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=

vendor/github.com/apparentlymart/go-cidr/LICENSE

@@ -0,0 +1,19 @@
+Copyright (c) 2015 Martin Atkins
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

vendor/github.com/apparentlymart/go-cidr/cidr/cidr.go

@@ -0,0 +1,218 @@
+// Package cidr is a collection of assorted utilities for computing
+// network and host addresses within network ranges.
+//
+// It expects a CIDR-type address structure where addresses are divided into
+// some number of prefix bits representing the network and then the remaining
+// suffix bits represent the host.
+//
+// For example, it can help to calculate addresses for sub-networks of a
+// parent network, or to calculate host addresses within a particular prefix.
+//
+// At present this package is prioritizing simplicity of implementation and
+// de-prioritizing speed and memory usage. Thus caution is advised before
+// using this package in performance-critical applications or hot codepaths.
+// Patches to improve the speed and memory usage may be accepted as long as
+// they do not result in a significant increase in code complexity.
+package cidr
+
+import (
+	"fmt"
+	"math/big"
+	"net"
+)
+
+// Subnet takes a parent CIDR range and creates a subnet within it
+// with the given number of additional prefix bits and the given
+// network number.
+//
+// For example, 10.3.0.0/16, extended by 8 bits, with a network number
+// of 5, becomes 10.3.5.0/24 .
+func Subnet(base *net.IPNet, newBits int, num int) (*net.IPNet, error) {
+	ip := base.IP
+	mask := base.Mask
+
+	parentLen, addrLen := mask.Size()
+	newPrefixLen := parentLen + newBits
+
+	if newPrefixLen > addrLen {
+		return nil, fmt.Errorf("insufficient address space to extend prefix of %d by %d", parentLen, newBits)
+	}
+
+	maxNetNum := uint64(1<<uint64(newBits)) - 1
+	if uint64(num) > maxNetNum {
+		return nil, fmt.Errorf("prefix extension of %d does not accommodate a subnet numbered %d", newBits, num)
+	}
+
+	return &net.IPNet{
+		IP:   insertNumIntoIP(ip, big.NewInt(int64(num)), newPrefixLen),
+		Mask: net.CIDRMask(newPrefixLen, addrLen),
+	}, nil
+}
+
+// Host takes a parent CIDR range and turns it into a host IP address with
+// the given host number.
+//
+// For example, 10.3.0.0/16 with a host number of 2 gives 10.3.0.2.
+func Host(base *net.IPNet, num int) (net.IP, error) {
+	ip := base.IP
+	mask := base.Mask
+	bigNum := big.NewInt(int64(num))
+
+	parentLen, addrLen := mask.Size()
+	hostLen := addrLen - parentLen
+
+	maxHostNum := big.NewInt(int64(1))
+	maxHostNum.Lsh(maxHostNum, uint(hostLen))
+	maxHostNum.Sub(maxHostNum, big.NewInt(1))
+
+	numUint64 := big.NewInt(int64(bigNum.Uint64()))
+	if bigNum.Cmp(big.NewInt(0)) == -1 {
+		numUint64.Neg(bigNum)
+		numUint64.Sub(numUint64, big.NewInt(int64(1)))
+		bigNum.Sub(maxHostNum, numUint64)
+	}
+
+	if numUint64.Cmp(maxHostNum) == 1 {
+		return nil, fmt.Errorf("prefix of %d does not accommodate a host numbered %d", parentLen, num)
+	}
+	var bitlength int
+	if ip.To4() != nil {
+		bitlength = 32
+	} else {
+		bitlength = 128
+	}
+	return insertNumIntoIP(ip, bigNum, bitlength), nil
+}
+
+// AddressRange returns the first and last addresses in the given CIDR range.
+func AddressRange(network *net.IPNet) (net.IP, net.IP) {
+	// the first IP is easy
+	firstIP := network.IP
+
+	// the last IP is the network address OR NOT the mask address
+	prefixLen, bits := network.Mask.Size()
+	if prefixLen == bits {
+		// Easy!
+		// But make sure that our two slices are distinct, since they
+		// would be in all other cases.
+		lastIP := make([]byte, len(firstIP))
+		copy(lastIP, firstIP)
+		return firstIP, lastIP
+	}
+
+	firstIPInt, bits := ipToInt(firstIP)
+	hostLen := uint(bits) - uint(prefixLen)
+	lastIPInt := big.NewInt(1)
+	lastIPInt.Lsh(lastIPInt, hostLen)
+	lastIPInt.Sub(lastIPInt, big.NewInt(1))
+	lastIPInt.Or(lastIPInt, firstIPInt)
+
+	return firstIP, intToIP(lastIPInt, bits)
+}
+
+// AddressCount returns the number of distinct host addresses within the given
+// CIDR range.
+//
+// Since the result is a uint64, this function returns meaningful information
+// only for IPv4 ranges and IPv6 ranges with a prefix size of at least 65.
+func AddressCount(network *net.IPNet) uint64 {
+	prefixLen, bits := network.Mask.Size()
+	return 1 << (uint64(bits) - uint64(prefixLen))
+}
+
+//VerifyNoOverlap takes a list subnets and supernet (CIDRBlock) and verifies
+//none of the subnets overlap and all subnets are in the supernet
+//it returns an error if any of those conditions are not satisfied
+func VerifyNoOverlap(subnets []*net.IPNet, CIDRBlock *net.IPNet) error {
+	firstLastIP := make([][]net.IP, len(subnets))
+	for i, s := range subnets {
+		first, last := AddressRange(s)
+		firstLastIP[i] = []net.IP{first, last}
+	}
+	for i, s := range subnets {
+		if !CIDRBlock.Contains(firstLastIP[i][0]) || !CIDRBlock.Contains(firstLastIP[i][1]) {
+			return fmt.Errorf("%s does not fully contain %s", CIDRBlock.String(), s.String())
+		}
+		for j := 0; j < len(subnets); j++ {
+			if i == j {
+				continue
+			}
+
+			first := firstLastIP[j][0]
+			last := firstLastIP[j][1]
+			if s.Contains(first) || s.Contains(last) {
+				return fmt.Errorf("%s overlaps with %s", subnets[j].String(), s.String())
+			}
+		}
+	}
+	return nil
+}
+
+// PreviousSubnet returns the subnet of the desired mask in the IP space
+// just lower than the start of IPNet provided. If the IP space rolls over
+// then the second return value is true
+func PreviousSubnet(network *net.IPNet, prefixLen int) (*net.IPNet, bool) {
+	startIP := checkIPv4(network.IP)
+	previousIP := make(net.IP, len(startIP))
+	copy(previousIP, startIP)
+	cMask := net.CIDRMask(prefixLen, 8*len(previousIP))
+	previousIP = Dec(previousIP)
+	previous := &net.IPNet{IP: previousIP.Mask(cMask), Mask: cMask}
+	if startIP.Equal(net.IPv4zero) || startIP.Equal(net.IPv6zero) {
+		return previous, true
+	}
+	return previous, false
+}
+
+// NextSubnet returns the next available subnet of the desired mask size
+// starting for the maximum IP of the offset subnet
+// If the IP exceeds the maxium IP then the second return value is true
+func NextSubnet(network *net.IPNet, prefixLen int) (*net.IPNet, bool) {
+	_, currentLast := AddressRange(network)
+	mask := net.CIDRMask(prefixLen, 8*len(currentLast))
+	currentSubnet := &net.IPNet{IP: currentLast.Mask(mask), Mask: mask}
+	_, last := AddressRange(currentSubnet)
+	last = Inc(last)
+	next := &net.IPNet{IP: last.Mask(mask), Mask: mask}
+	if last.Equal(net.IPv4zero) || last.Equal(net.IPv6zero) {
+		return next, true
+	}
+	return next, false
+}
+
+//Inc increases the IP by one this returns a new []byte for the IP
+func Inc(IP net.IP) net.IP {
+	IP = checkIPv4(IP)
+	incIP := make([]byte, len(IP))
+	copy(incIP, IP)
+	for j := len(incIP) - 1; j >= 0; j-- {
+		incIP[j]++
+		if incIP[j] > 0 {
+			break
+		}
+	}
+	return incIP
+}
+
+//Dec decreases the IP by one this returns a new []byte for the IP
+func Dec(IP net.IP) net.IP {
+	IP = checkIPv4(IP)
+	decIP := make([]byte, len(IP))
+	copy(decIP, IP)
+	decIP = checkIPv4(decIP)
+	for j := len(decIP) - 1; j >= 0; j-- {
+		decIP[j]--
+		if decIP[j] < 255 {
+			break
+		}
+	}
+	return decIP
+}
+
+func checkIPv4(ip net.IP) net.IP {
+	// Go for some reason allocs IPv6len for IPv4 so we have to correct it
+	if v4 := ip.To4(); v4 != nil {
+		return v4
+	}
+	return ip
+}

vendor/github.com/apparentlymart/go-cidr/cidr/wrangling.go

@@ -0,0 +1,37 @@
+package cidr
+
+import (
+	"fmt"
+	"math/big"
+	"net"
+)
+
+func ipToInt(ip net.IP) (*big.Int, int) {
+	val := &big.Int{}
+	val.SetBytes([]byte(ip))
+	if len(ip) == net.IPv4len {
+		return val, 32
+	} else if len(ip) == net.IPv6len {
+		return val, 128
+	} else {
+		panic(fmt.Errorf("Unsupported address length %d", len(ip)))
+	}
+}
+
+func intToIP(ipInt *big.Int, bits int) net.IP {
+	ipBytes := ipInt.Bytes()
+	ret := make([]byte, bits/8)
+	// Pack our IP bytes into the end of the return array,
+	// since big.Int.Bytes() removes front zero padding.
+	for i := 1; i <= len(ipBytes); i++ {
+		ret[len(ret)-i] = ipBytes[len(ipBytes)-i]
+	}
+	return net.IP(ret)
+}
+
+func insertNumIntoIP(ip net.IP, bigNum *big.Int, prefixLen int) net.IP {
+	ipInt, totalBits := ipToInt(ip)
+	bigNum.Lsh(bigNum, uint(totalBits-prefixLen))
+	ipInt.Or(ipInt, bigNum)
+	return intToIP(ipInt, totalBits)
+}

vendor/github.com/google/uuid/.travis.yml

@@ -0,0 +1,9 @@
+language: go
+
+go:
+  - 1.4.3
+  - 1.5.3
+  - tip
+
+script:
+  - go test -v ./...

vendor/github.com/google/uuid/CONTRIBUTING.md

@@ -0,0 +1,10 @@
+# How to contribute
+
+We definitely welcome patches and contribution to this project!
+
+### Legal requirements
+
+In order to protect both you and ourselves, you will need to sign the
+[Contributor License Agreement](https://cla.developers.google.com/clas).
+
+You may have already signed it for other Google projects.

vendor/github.com/google/uuid/CONTRIBUTORS

@@ -0,0 +1,9 @@
+Paul Borman <borman@google.com>
+bmatsuo
+shawnps
+theory
+jboverfelt
+dsymonds
+cd1
+wallclockbuilder
+dansouza

vendor/github.com/google/uuid/LICENSE

@@ -0,0 +1,27 @@
+Copyright (c) 2009,2014 Google Inc. All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are
+met:
+
+   * Redistributions of source code must retain the above copyright
+notice, this list of conditions and the following disclaimer.
+   * Redistributions in binary form must reproduce the above
+copyright notice, this list of conditions and the following disclaimer
+in the documentation and/or other materials provided with the
+distribution.
+   * Neither the name of Google Inc. nor the names of its
+contributors may be used to endorse or promote products derived from
+this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

vendor/github.com/google/uuid/README.md

@@ -0,0 +1,19 @@
+# uuid ![build status](https://travis-ci.org/google/uuid.svg?branch=master)
+The uuid package generates and inspects UUIDs based on
+[RFC 4122](http://tools.ietf.org/html/rfc4122)
+and DCE 1.1: Authentication and Security Services. 
+
+This package is based on the github.com/pborman/uuid package (previously named
+code.google.com/p/go-uuid).  It differs from these earlier packages in that
+a UUID is a 16 byte array rather than a byte slice.  One loss due to this
+change is the ability to represent an invalid UUID (vs a NIL UUID).
+
+###### Install
+`go get github.com/google/uuid`
+
+###### Documentation 
+[![GoDoc](https://godoc.org/github.com/google/uuid?status.svg)](http://godoc.org/github.com/google/uuid)
+
+Full `go doc` style documentation for the package can be viewed online without
+installing this package by using the GoDoc site here: 
+http://godoc.org/github.com/google/uuid

vendor/github.com/google/uuid/dce.go

@@ -0,0 +1,80 @@
+// Copyright 2016 Google Inc.  All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package uuid
+
+import (
+	"encoding/binary"
+	"fmt"
+	"os"
+)
+
+// A Domain represents a Version 2 domain
+type Domain byte
+
+// Domain constants for DCE Security (Version 2) UUIDs.
+const (
+	Person = Domain(0)
+	Group  = Domain(1)
+	Org    = Domain(2)
+)
+
+// NewDCESecurity returns a DCE Security (Version 2) UUID.
+//
+// The domain should be one of Person, Group or Org.
+// On a POSIX system the id should be the users UID for the Person
+// domain and the users GID for the Group.  The meaning of id for
+// the domain Org or on non-POSIX systems is site defined.
+//
+// For a given domain/id pair the same token may be returned for up to
+// 7 minutes and 10 seconds.
+func NewDCESecurity(domain Domain, id uint32) (UUID, error) {
+	uuid, err := NewUUID()
+	if err == nil {
+		uuid[6] = (uuid[6] & 0x0f) | 0x20 // Version 2
+		uuid[9] = byte(domain)
+		binary.BigEndian.PutUint32(uuid[0:], id)
+	}
+	return uuid, err
+}
+
+// NewDCEPerson returns a DCE Security (Version 2) UUID in the person
+// domain with the id returned by os.Getuid.
+//
+//  NewDCESecurity(Person, uint32(os.Getuid()))
+func NewDCEPerson() (UUID, error) {
+	return NewDCESecurity(Person, uint32(os.Getuid()))
+}
+
+// NewDCEGroup returns a DCE Security (Version 2) UUID in the group
+// domain with the id returned by os.Getgid.
+//
+//  NewDCESecurity(Group, uint32(os.Getgid()))
+func NewDCEGroup() (UUID, error) {
+	return NewDCESecurity(Group, uint32(os.Getgid()))
+}
+
+// Domain returns the domain for a Version 2 UUID.  Domains are only defined
+// for Version 2 UUIDs.
+func (uuid UUID) Domain() Domain {
+	return Domain(uuid[9])
+}
+
+// ID returns the id for a Version 2 UUID. IDs are only defined for Version 2
+// UUIDs.
+func (uuid UUID) ID() uint32 {
+	return binary.BigEndian.Uint32(uuid[0:4])
+}
+
+func (d Domain) String() string {
+	switch d {
+	case Person:
+		return "Person"
+	case Group:
+		return "Group"
+	case Org:
+		return "Org"
+	}
+	return fmt.Sprintf("Domain%d", int(d))
+}

vendor/github.com/google/uuid/doc.go

@@ -0,0 +1,12 @@
+// Copyright 2016 Google Inc.  All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package uuid generates and inspects UUIDs.
+//
+// UUIDs are based on RFC 4122 and DCE 1.1: Authentication and Security
+// Services.
+//
+// A UUID is a 16 byte (128 bit) array.  UUIDs may be used as keys to
+// maps or compared directly.
+package uuid

vendor/github.com/google/uuid/go.mod

@@ -0,0 +1 @@
+module github.com/google/uuid

vendor/github.com/google/uuid/hash.go

@@ -0,0 +1,53 @@
+// Copyright 2016 Google Inc.  All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package uuid
+
+import (
+	"crypto/md5"
+	"crypto/sha1"
+	"hash"
+)
+
+// Well known namespace IDs and UUIDs
+var (
+	NameSpaceDNS  = Must(Parse("6ba7b810-9dad-11d1-80b4-00c04fd430c8"))
+	NameSpaceURL  = Must(Parse("6ba7b811-9dad-11d1-80b4-00c04fd430c8"))
+	NameSpaceOID  = Must(Parse("6ba7b812-9dad-11d1-80b4-00c04fd430c8"))
+	NameSpaceX500 = Must(Parse("6ba7b814-9dad-11d1-80b4-00c04fd430c8"))
+	Nil           UUID // empty UUID, all zeros
+)
+
+// NewHash returns a new UUID derived from the hash of space concatenated with
+// data generated by h.  The hash should be at least 16 byte in length.  The
+// first 16 bytes of the hash are used to form the UUID.  The version of the
+// UUID will be the lower 4 bits of version.  NewHash is used to implement
+// NewMD5 and NewSHA1.
+func NewHash(h hash.Hash, space UUID, data []byte, version int) UUID {
+	h.Reset()
+	h.Write(space[:])
+	h.Write(data)
+	s := h.Sum(nil)
+	var uuid UUID
+	copy(uuid[:], s)
+	uuid[6] = (uuid[6] & 0x0f) | uint8((version&0xf)<<4)
+	uuid[8] = (uuid[8] & 0x3f) | 0x80 // RFC 4122 variant
+	return uuid
+}
+
+// NewMD5 returns a new MD5 (Version 3) UUID based on the
+// supplied name space and data.  It is the same as calling:
+//
+//  NewHash(md5.New(), space, data, 3)
+func NewMD5(space UUID, data []byte) UUID {
+	return NewHash(md5.New(), space, data, 3)
+}
+
+// NewSHA1 returns a new SHA1 (Version 5) UUID based on the
+// supplied name space and data.  It is the same as calling:
+//
+//  NewHash(sha1.New(), space, data, 5)
+func NewSHA1(space UUID, data []byte) UUID {
+	return NewHash(sha1.New(), space, data, 5)
+}

vendor/github.com/google/uuid/marshal.go

@@ -0,0 +1,37 @@
+// Copyright 2016 Google Inc.  All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package uuid
+
+import "fmt"
+
+// MarshalText implements encoding.TextMarshaler.
+func (uuid UUID) MarshalText() ([]byte, error) {
+	var js [36]byte
+	encodeHex(js[:], uuid)
+	return js[:], nil
+}
+
+// UnmarshalText implements encoding.TextUnmarshaler.
+func (uuid *UUID) UnmarshalText(data []byte) error {
+	id, err := ParseBytes(data)
+	if err == nil {
+		*uuid = id
+	}
+	return err
+}
+
+// MarshalBinary implements encoding.BinaryMarshaler.
+func (uuid UUID) MarshalBinary() ([]byte, error) {
+	return uuid[:], nil
+}
+
+// UnmarshalBinary implements encoding.BinaryUnmarshaler.
+func (uuid *UUID) UnmarshalBinary(data []byte) error {
+	if len(data) != 16 {
+		return fmt.Errorf("invalid UUID (got %d bytes)", len(data))
+	}
+	copy(uuid[:], data)
+	return nil
+}

vendor/github.com/google/uuid/node.go

@@ -0,0 +1,90 @@
+// Copyright 2016 Google Inc.  All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package uuid
+
+import (
+	"sync"
+)
+
+var (
+	nodeMu sync.Mutex
+	ifname string  // name of interface being used
+	nodeID [6]byte // hardware for version 1 UUIDs
+	zeroID [6]byte // nodeID with only 0's
+)
+
+// NodeInterface returns the name of the interface from which the NodeID was
+// derived.  The interface "user" is returned if the NodeID was set by
+// SetNodeID.
+func NodeInterface() string {
+	defer nodeMu.Unlock()
+	nodeMu.Lock()
+	return ifname
+}
+
+// SetNodeInterface selects the hardware address to be used for Version 1 UUIDs.
+// If name is "" then the first usable interface found will be used or a random
+// Node ID will be generated.  If a named interface cannot be found then false
+// is returned.
+//
+// SetNodeInterface never fails when name is "".
+func SetNodeInterface(name string) bool {
+	defer nodeMu.Unlock()
+	nodeMu.Lock()
+	return setNodeInterface(name)
+}
+
+func setNodeInterface(name string) bool {
+	iname, addr := getHardwareInterface(name) // null implementation for js
+	if iname != "" && addr != nil {
+		ifname = iname
+		copy(nodeID[:], addr)
+		return true
+	}
+
+	// We found no interfaces with a valid hardware address.  If name
+	// does not specify a specific interface generate a random Node ID
+	// (section 4.1.6)
+	if name == "" {
+		ifname = "random"
+		randomBits(nodeID[:])
+		return true
+	}
+	return false
+}
+
+// NodeID returns a slice of a copy of the current Node ID, setting the Node ID
+// if not already set.
+func NodeID() []byte {
+	defer nodeMu.Unlock()
+	nodeMu.Lock()
+	if nodeID == zeroID {
+		setNodeInterface("")
+	}
+	nid := nodeID
+	return nid[:]
+}
+
+// SetNodeID sets the Node ID to be used for Version 1 UUIDs.  The first 6 bytes
+// of id are used.  If id is less than 6 bytes then false is returned and the
+// Node ID is not set.
+func SetNodeID(id []byte) bool {
+	if len(id) < 6 {
+		return false
+	}
+	defer nodeMu.Unlock()
+	nodeMu.Lock()
+	copy(nodeID[:], id)
+	ifname = "user"
+	return true
+}
+
+// NodeID returns the 6 byte node id encoded in uuid.  It returns nil if uuid is
+// not valid.  The NodeID is only well defined for version 1 and 2 UUIDs.
+func (uuid UUID) NodeID() []byte {
+	var node [6]byte
+	copy(node[:], uuid[10:])
+	return node[:]
+}

vendor/github.com/google/uuid/node_js.go

@@ -0,0 +1,12 @@
+// Copyright 2017 Google Inc.  All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// +build js
+
+package uuid
+
+// getHardwareInterface returns nil values for the JS version of the code.
+// This remvoves the "net" dependency, because it is not used in the browser.
+// Using the "net" library inflates the size of the transpiled JS code by 673k bytes.
+func getHardwareInterface(name string) (string, []byte) { return "", nil }

vendor/github.com/google/uuid/node_net.go

@@ -0,0 +1,33 @@
+// Copyright 2017 Google Inc.  All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// +build !js
+
+package uuid
+
+import "net"
+
+var interfaces []net.Interface // cached list of interfaces
+
+// getHardwareInterface returns the name and hardware address of interface name.
+// If name is "" then the name and hardware address of one of the system's
+// interfaces is returned.  If no interfaces are found (name does not exist or
+// there are no interfaces) then "", nil is returned.
+//
+// Only addresses of at least 6 bytes are returned.
+func getHardwareInterface(name string) (string, []byte) {
+	if interfaces == nil {
+		var err error
+		interfaces, err = net.Interfaces()
+		if err != nil {
+			return "", nil
+		}
+	}
+	for _, ifs := range interfaces {
+		if len(ifs.HardwareAddr) >= 6 && (name == "" || name == ifs.Name) {
+			return ifs.Name, ifs.HardwareAddr
+		}
+	}
+	return "", nil
+}

vendor/github.com/google/uuid/sql.go

@@ -0,0 +1,59 @@
+// Copyright 2016 Google Inc.  All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package uuid
+
+import (
+	"database/sql/driver"
+	"fmt"
+)
+
+// Scan implements sql.Scanner so UUIDs can be read from databases transparently
+// Currently, database types that map to string and []byte are supported. Please
+// consult database-specific driver documentation for matching types.
+func (uuid *UUID) Scan(src interface{}) error {
+	switch src := src.(type) {
+	case nil:
+		return nil
+
+	case string:
+		// if an empty UUID comes from a table, we return a null UUID
+		if src == "" {
+			return nil
+		}
+
+		// see Parse for required string format
+		u, err := Parse(src)
+		if err != nil {
+			return fmt.Errorf("Scan: %v", err)
+		}
+
+		*uuid = u
+
+	case []byte:
+		// if an empty UUID comes from a table, we return a null UUID
+		if len(src) == 0 {
+			return nil
+		}
+
+		// assumes a simple slice of bytes if 16 bytes
+		// otherwise attempts to parse
+		if len(src) != 16 {
+			return uuid.Scan(string(src))
+		}
+		copy((*uuid)[:], src)
+
+	default:
+		return fmt.Errorf("Scan: unable to scan type %T into UUID", src)
+	}
+
+	return nil
+}
+
+// Value implements sql.Valuer so that UUIDs can be written to databases
+// transparently. Currently, UUIDs map to strings. Please consult
+// database-specific driver documentation for matching types.
+func (uuid UUID) Value() (driver.Value, error) {
+	return uuid.String(), nil
+}

vendor/github.com/google/uuid/time.go

@@ -0,0 +1,123 @@
+// Copyright 2016 Google Inc.  All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package uuid
+
+import (
+	"encoding/binary"
+	"sync"
+	"time"
+)
+
+// A Time represents a time as the number of 100's of nanoseconds since 15 Oct
+// 1582.
+type Time int64
+
+const (
+	lillian    = 2299160          // Julian day of 15 Oct 1582
+	unix       = 2440587          // Julian day of 1 Jan 1970
+	epoch      = unix - lillian   // Days between epochs
+	g1582      = epoch * 86400    // seconds between epochs
+	g1582ns100 = g1582 * 10000000 // 100s of a nanoseconds between epochs
+)
+
+var (
+	timeMu   sync.Mutex
+	lasttime uint64 // last time we returned
+	clockSeq uint16 // clock sequence for this run
+
+	timeNow = time.Now // for testing
+)
+
+// UnixTime converts t the number of seconds and nanoseconds using the Unix
+// epoch of 1 Jan 1970.
+func (t Time) UnixTime() (sec, nsec int64) {
+	sec = int64(t - g1582ns100)
+	nsec = (sec % 10000000) * 100
+	sec /= 10000000
+	return sec, nsec
+}
+
+// GetTime returns the current Time (100s of nanoseconds since 15 Oct 1582) and
+// clock sequence as well as adjusting the clock sequence as needed.  An error
+// is returned if the current time cannot be determined.
+func GetTime() (Time, uint16, error) {
+	defer timeMu.Unlock()
+	timeMu.Lock()
+	return getTime()
+}
+
+func getTime() (Time, uint16, error) {
+	t := timeNow()
+
+	// If we don't have a clock sequence already, set one.
+	if clockSeq == 0 {
+		setClockSequence(-1)
+	}
+	now := uint64(t.UnixNano()/100) + g1582ns100
+
+	// If time has gone backwards with this clock sequence then we
+	// increment the clock sequence
+	if now <= lasttime {
+		clockSeq = ((clockSeq + 1) & 0x3fff) | 0x8000
+	}
+	lasttime = now
+	return Time(now), clockSeq, nil
+}
+
+// ClockSequence returns the current clock sequence, generating one if not
+// already set.  The clock sequence is only used for Version 1 UUIDs.
+//
+// The uuid package does not use global static storage for the clock sequence or
+// the last time a UUID was generated.  Unless SetClockSequence is used, a new
+// random clock sequence is generated the first time a clock sequence is
+// requested by ClockSequence, GetTime, or NewUUID.  (section 4.2.1.1)
+func ClockSequence() int {
+	defer timeMu.Unlock()
+	timeMu.Lock()
+	return clockSequence()
+}
+
+func clockSequence() int {
+	if clockSeq == 0 {
+		setClockSequence(-1)
+	}
+	return int(clockSeq & 0x3fff)
+}
+
+// SetClockSequence sets the clock sequence to the lower 14 bits of seq.  Setting to
+// -1 causes a new sequence to be generated.
+func SetClockSequence(seq int) {
+	defer timeMu.Unlock()
+	timeMu.Lock()
+	setClockSequence(seq)
+}
+
+func setClockSequence(seq int) {
+	if seq == -1 {
+		var b [2]byte
+		randomBits(b[:]) // clock sequence
+		seq = int(b[0])<<8 | int(b[1])
+	}
+	oldSeq := clockSeq
+	clockSeq = uint16(seq&0x3fff) | 0x8000 // Set our variant
+	if oldSeq != clockSeq {
+		lasttime = 0
+	}
+}
+
+// Time returns the time in 100s of nanoseconds since 15 Oct 1582 encoded in
+// uuid.  The time is only defined for version 1 and 2 UUIDs.
+func (uuid UUID) Time() Time {
+	time := int64(binary.BigEndian.Uint32(uuid[0:4]))
+	time |= int64(binary.BigEndian.Uint16(uuid[4:6])) << 32
+	time |= int64(binary.BigEndian.Uint16(uuid[6:8])&0xfff) << 48
+	return Time(time)
+}
+
+// ClockSequence returns the clock sequence encoded in uuid.
+// The clock sequence is only well defined for version 1 and 2 UUIDs.
+func (uuid UUID) ClockSequence() int {
+	return int(binary.BigEndian.Uint16(uuid[8:10])) & 0x3fff
+}

vendor/github.com/google/uuid/util.go

@@ -0,0 +1,43 @@
+// Copyright 2016 Google Inc.  All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package uuid
+
+import (
+	"io"
+)
+
+// randomBits completely fills slice b with random data.
+func randomBits(b []byte) {
+	if _, err := io.ReadFull(rander, b); err != nil {
+		panic(err.Error()) // rand should never fail
+	}
+}
+
+// xvalues returns the value of a byte as a hexadecimal digit or 255.
+var xvalues = [256]byte{
+	255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255,
+	255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255,
+	255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255,
+	0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 255, 255, 255, 255, 255, 255,
+	255, 10, 11, 12, 13, 14, 15, 255, 255, 255, 255, 255, 255, 255, 255, 255,
+	255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255,
+	255, 10, 11, 12, 13, 14, 15, 255, 255, 255, 255, 255, 255, 255, 255, 255,
+	255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255,
+	255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255,
+	255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255,
+	255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255,
+	255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255,
+	255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255,
+	255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255,
+	255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255,
+	255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255,
+}
+
+// xtob converts hex characters x1 and x2 into a byte.
+func xtob(x1, x2 byte) (byte, bool) {
+	b1 := xvalues[x1]
+	b2 := xvalues[x2]
+	return (b1 << 4) | b2, b1 != 255 && b2 != 255
+}

vendor/github.com/google/uuid/uuid.go

@@ -0,0 +1,245 @@
+// Copyright 2018 Google Inc.  All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package uuid
+
+import (
+	"bytes"
+	"crypto/rand"
+	"encoding/hex"
+	"errors"
+	"fmt"
+	"io"
+	"strings"
+)
+
+// A UUID is a 128 bit (16 byte) Universal Unique IDentifier as defined in RFC
+// 4122.
+type UUID [16]byte
+
+// A Version represents a UUID's version.
+type Version byte
+
+// A Variant represents a UUID's variant.
+type Variant byte
+
+// Constants returned by Variant.
+const (
+	Invalid   = Variant(iota) // Invalid UUID
+	RFC4122                   // The variant specified in RFC4122
+	Reserved                  // Reserved, NCS backward compatibility.
+	Microsoft                 // Reserved, Microsoft Corporation backward compatibility.
+	Future                    // Reserved for future definition.
+)
+
+var rander = rand.Reader // random function
+
+// Parse decodes s into a UUID or returns an error.  Both the standard UUID
+// forms of xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx and
+// urn:uuid:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx are decoded as well as the
+// Microsoft encoding {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} and the raw hex
+// encoding: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.
+func Parse(s string) (UUID, error) {
+	var uuid UUID
+	switch len(s) {
+	// xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
+	case 36:
+
+	// urn:uuid:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
+	case 36 + 9:
+		if strings.ToLower(s[:9]) != "urn:uuid:" {
+			return uuid, fmt.Errorf("invalid urn prefix: %q", s[:9])
+		}
+		s = s[9:]
+
+	// {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}
+	case 36 + 2:
+		s = s[1:]
+
+	// xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+	case 32:
+		var ok bool
+		for i := range uuid {
+			uuid[i], ok = xtob(s[i*2], s[i*2+1])
+			if !ok {
+				return uuid, errors.New("invalid UUID format")
+			}
+		}
+		return uuid, nil
+	default:
+		return uuid, fmt.Errorf("invalid UUID length: %d", len(s))
+	}
+	// s is now at least 36 bytes long
+	// it must be of the form  xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
+	if s[8] != '-' || s[13] != '-' || s[18] != '-' || s[23] != '-' {
+		return uuid, errors.New("invalid UUID format")
+	}
+	for i, x := range [16]int{
+		0, 2, 4, 6,
+		9, 11,
+		14, 16,
+		19, 21,
+		24, 26, 28, 30, 32, 34} {
+		v, ok := xtob(s[x], s[x+1])
+		if !ok {
+			return uuid, errors.New("invalid UUID format")
+		}
+		uuid[i] = v
+	}
+	return uuid, nil
+}
+
+// ParseBytes is like Parse, except it parses a byte slice instead of a string.
+func ParseBytes(b []byte) (UUID, error) {
+	var uuid UUID
+	switch len(b) {
+	case 36: // xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
+	case 36 + 9: // urn:uuid:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
+		if !bytes.Equal(bytes.ToLower(b[:9]), []byte("urn:uuid:")) {
+			return uuid, fmt.Errorf("invalid urn prefix: %q", b[:9])
+		}
+		b = b[9:]
+	case 36 + 2: // {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}
+		b = b[1:]
+	case 32: // xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+		var ok bool
+		for i := 0; i < 32; i += 2 {
+			uuid[i/2], ok = xtob(b[i], b[i+1])
+			if !ok {
+				return uuid, errors.New("invalid UUID format")
+			}
+		}
+		return uuid, nil
+	default:
+		return uuid, fmt.Errorf("invalid UUID length: %d", len(b))
+	}
+	// s is now at least 36 bytes long
+	// it must be of the form  xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
+	if b[8] != '-' || b[13] != '-' || b[18] != '-' || b[23] != '-' {
+		return uuid, errors.New("invalid UUID format")
+	}
+	for i, x := range [16]int{
+		0, 2, 4, 6,
+		9, 11,
+		14, 16,
+		19, 21,
+		24, 26, 28, 30, 32, 34} {
+		v, ok := xtob(b[x], b[x+1])
+		if !ok {
+			return uuid, errors.New("invalid UUID format")
+		}
+		uuid[i] = v
+	}
+	return uuid, nil
+}
+
+// MustParse is like Parse but panics if the string cannot be parsed.
+// It simplifies safe initialization of global variables holding compiled UUIDs.
+func MustParse(s string) UUID {
+	uuid, err := Parse(s)
+	if err != nil {
+		panic(`uuid: Parse(` + s + `): ` + err.Error())
+	}
+	return uuid
+}
+
+// FromBytes creates a new UUID from a byte slice. Returns an error if the slice
+// does not have a length of 16. The bytes are copied from the slice.
+func FromBytes(b []byte) (uuid UUID, err error) {
+	err = uuid.UnmarshalBinary(b)
+	return uuid, err
+}
+
+// Must returns uuid if err is nil and panics otherwise.
+func Must(uuid UUID, err error) UUID {
+	if err != nil {
+		panic(err)
+	}
+	return uuid
+}
+
+// String returns the string form of uuid, xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
+// , or "" if uuid is invalid.
+func (uuid UUID) String() string {
+	var buf [36]byte
+	encodeHex(buf[:], uuid)
+	return string(buf[:])
+}
+
+// URN returns the RFC 2141 URN form of uuid,
+// urn:uuid:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx,  or "" if uuid is invalid.
+func (uuid UUID) URN() string {
+	var buf [36 + 9]byte
+	copy(buf[:], "urn:uuid:")
+	encodeHex(buf[9:], uuid)
+	return string(buf[:])
+}
+
+func encodeHex(dst []byte, uuid UUID) {
+	hex.Encode(dst, uuid[:4])
+	dst[8] = '-'
+	hex.Encode(dst[9:13], uuid[4:6])
+	dst[13] = '-'
+	hex.Encode(dst[14:18], uuid[6:8])
+	dst[18] = '-'
+	hex.Encode(dst[19:23], uuid[8:10])
+	dst[23] = '-'
+	hex.Encode(dst[24:], uuid[10:])
+}
+
+// Variant returns the variant encoded in uuid.
+func (uuid UUID) Variant() Variant {
+	switch {
+	case (uuid[8] & 0xc0) == 0x80:
+		return RFC4122
+	case (uuid[8] & 0xe0) == 0xc0:
+		return Microsoft
+	case (uuid[8] & 0xe0) == 0xe0:
+		return Future
+	default:
+		return Reserved
+	}
+}
+
+// Version returns the version of uuid.
+func (uuid UUID) Version() Version {
+	return Version(uuid[6] >> 4)
+}
+
+func (v Version) String() string {
+	if v > 15 {
+		return fmt.Sprintf("BAD_VERSION_%d", v)
+	}
+	return fmt.Sprintf("VERSION_%d", v)
+}
+
+func (v Variant) String() string {
+	switch v {
+	case RFC4122:
+		return "RFC4122"
+	case Reserved:
+		return "Reserved"
+	case Microsoft:
+		return "Microsoft"
+	case Future:
+		return "Future"
+	case Invalid:
+		return "Invalid"
+	}
+	return fmt.Sprintf("BadVariant%d", int(v))
+}
+
+// SetRand sets the random number generator to r, which implements io.Reader.
+// If r.Read returns an error when the package requests random data then
+// a panic will be issued.
+//
+// Calling SetRand with nil sets the random number generator to the default
+// generator.
+func SetRand(r io.Reader) {
+	if r == nil {
+		rander = rand.Reader
+		return
+	}
+	rander = r
+}

vendor/github.com/google/uuid/version1.go

@@ -0,0 +1,44 @@
+// Copyright 2016 Google Inc.  All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package uuid
+
+import (
+	"encoding/binary"
+)
+
+// NewUUID returns a Version 1 UUID based on the current NodeID and clock
+// sequence, and the current time.  If the NodeID has not been set by SetNodeID
+// or SetNodeInterface then it will be set automatically.  If the NodeID cannot
+// be set NewUUID returns nil.  If clock sequence has not been set by
+// SetClockSequence then it will be set automatically.  If GetTime fails to
+// return the current NewUUID returns nil and an error.
+//
+// In most cases, New should be used.
+func NewUUID() (UUID, error) {
+	nodeMu.Lock()
+	if nodeID == zeroID {
+		setNodeInterface("")
+	}
+	nodeMu.Unlock()
+
+	var uuid UUID
+	now, seq, err := GetTime()
+	if err != nil {
+		return uuid, err
+	}
+
+	timeLow := uint32(now & 0xffffffff)
+	timeMid := uint16((now >> 32) & 0xffff)
+	timeHi := uint16((now >> 48) & 0x0fff)
+	timeHi |= 0x1000 // Version 1
+
+	binary.BigEndian.PutUint32(uuid[0:], timeLow)
+	binary.BigEndian.PutUint16(uuid[4:], timeMid)
+	binary.BigEndian.PutUint16(uuid[6:], timeHi)
+	binary.BigEndian.PutUint16(uuid[8:], seq)
+	copy(uuid[10:], nodeID[:])
+
+	return uuid, nil
+}

vendor/github.com/google/uuid/version4.go

@@ -0,0 +1,38 @@
+// Copyright 2016 Google Inc.  All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package uuid
+
+import "io"
+
+// New creates a new random UUID or panics.  New is equivalent to
+// the expression
+//
+//    uuid.Must(uuid.NewRandom())
+func New() UUID {
+	return Must(NewRandom())
+}
+
+// NewRandom returns a Random (Version 4) UUID.
+//
+// The strength of the UUIDs is based on the strength of the crypto/rand
+// package.
+//
+// A note about uniqueness derived from the UUID Wikipedia entry:
+//
+//  Randomly generated UUIDs have 122 random bits.  One's annual risk of being
+//  hit by a meteorite is estimated to be one chance in 17 billion, that
+//  means the probability is about 0.00000000006 (6 × 10−11),
+//  equivalent to the odds of creating a few tens of trillions of UUIDs in a
+//  year and having one duplicate.
+func NewRandom() (UUID, error) {
+	var uuid UUID
+	_, err := io.ReadFull(rander, uuid[:])
+	if err != nil {
+		return Nil, err
+	}
+	uuid[6] = (uuid[6] & 0x0f) | 0x40 // Version 4
+	uuid[8] = (uuid[8] & 0x3f) | 0x80 // Variant is 10
+	return uuid, nil
+}

vendor/github.com/hashicorp/go-cty-funcs/LICENSE

@@ -0,0 +1,354 @@
+Mozilla Public License, version 2.0
+
+1. Definitions
+
+1.1. “Contributor”
+
+     means each individual or legal entity that creates, contributes to the
+     creation of, or owns Covered Software.
+
+1.2. “Contributor Version”
+
+     means the combination of the Contributions of others (if any) used by a
+     Contributor and that particular Contributor’s Contribution.
+
+1.3. “Contribution”
+
+     means Covered Software of a particular Contributor.
+
+1.4. “Covered Software”
+
+     means Source Code Form to which the initial Contributor has attached the
+     notice in Exhibit A, the Executable Form of such Source Code Form, and
+     Modifications of such Source Code Form, in each case including portions
+     thereof.
+
+1.5. “Incompatible With Secondary Licenses”
+     means
+
+     a. that the initial Contributor has attached the notice described in
+        Exhibit B to the Covered Software; or
+
+     b. that the Covered Software was made available under the terms of version
+        1.1 or earlier of the License, but not also under the terms of a
+        Secondary License.
+
+1.6. “Executable Form”
+
+     means any form of the work other than Source Code Form.
+
+1.7. “Larger Work”
+
+     means a work that combines Covered Software with other material, in a separate
+     file or files, that is not Covered Software.
+
+1.8. “License”
+
+     means this document.
+
+1.9. “Licensable”
+
+     means having the right to grant, to the maximum extent possible, whether at the
+     time of the initial grant or subsequently, any and all of the rights conveyed by
+     this License.
+
+1.10. “Modifications”
+
+     means any of the following:
+
+     a. any file in Source Code Form that results from an addition to, deletion
+        from, or modification of the contents of Covered Software; or
+
+     b. any new file in Source Code Form that contains any Covered Software.
+
+1.11. “Patent Claims” of a Contributor
+
+      means any patent claim(s), including without limitation, method, process,
+      and apparatus claims, in any patent Licensable by such Contributor that
+      would be infringed, but for the grant of the License, by the making,
+      using, selling, offering for sale, having made, import, or transfer of
+      either its Contributions or its Contributor Version.
+
+1.12. “Secondary License”
+
+      means either the GNU General Public License, Version 2.0, the GNU Lesser
+      General Public License, Version 2.1, the GNU Affero General Public
+      License, Version 3.0, or any later versions of those licenses.
+
+1.13. “Source Code Form”
+
+      means the form of the work preferred for making modifications.
+
+1.14. “You” (or “Your”)
+
+      means an individual or a legal entity exercising rights under this
+      License. For legal entities, “You” includes any entity that controls, is
+      controlled by, or is under common control with You. For purposes of this
+      definition, “control” means (a) the power, direct or indirect, to cause
+      the direction or management of such entity, whether by contract or
+      otherwise, or (b) ownership of more than fifty percent (50%) of the
+      outstanding shares or beneficial ownership of such entity.
+
+
+2. License Grants and Conditions
+
+2.1. Grants
+
+     Each Contributor hereby grants You a world-wide, royalty-free,
+     non-exclusive license:
+
+     a. under intellectual property rights (other than patent or trademark)
+        Licensable by such Contributor to use, reproduce, make available,
+        modify, display, perform, distribute, and otherwise exploit its
+        Contributions, either on an unmodified basis, with Modifications, or as
+        part of a Larger Work; and
+
+     b. under Patent Claims of such Contributor to make, use, sell, offer for
+        sale, have made, import, and otherwise transfer either its Contributions
+        or its Contributor Version.
+
+2.2. Effective Date
+
+     The licenses granted in Section 2.1 with respect to any Contribution become
+     effective for each Contribution on the date the Contributor first distributes
+     such Contribution.
+
+2.3. Limitations on Grant Scope
+
+     The licenses granted in this Section 2 are the only rights granted under this
+     License. No additional rights or licenses will be implied from the distribution
+     or licensing of Covered Software under this License. Notwithstanding Section
+     2.1(b) above, no patent license is granted by a Contributor:
+
+     a. for any code that a Contributor has removed from Covered Software; or
+
+     b. for infringements caused by: (i) Your and any other third party’s
+        modifications of Covered Software, or (ii) the combination of its
+        Contributions with other software (except as part of its Contributor
+        Version); or
+
+     c. under Patent Claims infringed by Covered Software in the absence of its
+        Contributions.
+
+     This License does not grant any rights in the trademarks, service marks, or
+     logos of any Contributor (except as may be necessary to comply with the
+     notice requirements in Section 3.4).
+
+2.4. Subsequent Licenses
+
+     No Contributor makes additional grants as a result of Your choice to
+     distribute the Covered Software under a subsequent version of this License
+     (see Section 10.2) or under the terms of a Secondary License (if permitted
+     under the terms of Section 3.3).
+
+2.5. Representation
+
+     Each Contributor represents that the Contributor believes its Contributions
+     are its original creation(s) or it has sufficient rights to grant the
+     rights to its Contributions conveyed by this License.
+
+2.6. Fair Use
+
+     This License is not intended to limit any rights You have under applicable
+     copyright doctrines of fair use, fair dealing, or other equivalents.
+
+2.7. Conditions
+
+     Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted in
+     Section 2.1.
+
+
+3. Responsibilities
+
+3.1. Distribution of Source Form
+
+     All distribution of Covered Software in Source Code Form, including any
+     Modifications that You create or to which You contribute, must be under the
+     terms of this License. You must inform recipients that the Source Code Form
+     of the Covered Software is governed by the terms of this License, and how
+     they can obtain a copy of this License. You may not attempt to alter or
+     restrict the recipients’ rights in the Source Code Form.
+
+3.2. Distribution of Executable Form
+
+     If You distribute Covered Software in Executable Form then:
+
+     a. such Covered Software must also be made available in Source Code Form,
+        as described in Section 3.1, and You must inform recipients of the
+        Executable Form how they can obtain a copy of such Source Code Form by
+        reasonable means in a timely manner, at a charge no more than the cost
+        of distribution to the recipient; and
+
+     b. You may distribute such Executable Form under the terms of this License,
+        or sublicense it under different terms, provided that the license for
+        the Executable Form does not attempt to limit or alter the recipients’
+        rights in the Source Code Form under this License.
+
+3.3. Distribution of a Larger Work
+
+     You may create and distribute a Larger Work under terms of Your choice,
+     provided that You also comply with the requirements of this License for the
+     Covered Software. If the Larger Work is a combination of Covered Software
+     with a work governed by one or more Secondary Licenses, and the Covered
+     Software is not Incompatible With Secondary Licenses, this License permits
+     You to additionally distribute such Covered Software under the terms of
+     such Secondary License(s), so that the recipient of the Larger Work may, at
+     their option, further distribute the Covered Software under the terms of
+     either this License or such Secondary License(s).
+
+3.4. Notices
+
+     You may not remove or alter the substance of any license notices (including
+     copyright notices, patent notices, disclaimers of warranty, or limitations
+     of liability) contained within the Source Code Form of the Covered
+     Software, except that You may alter any license notices to the extent
+     required to remedy known factual inaccuracies.
+
+3.5. Application of Additional Terms
+
+     You may choose to offer, and to charge a fee for, warranty, support,
+     indemnity or liability obligations to one or more recipients of Covered
+     Software. However, You may do so only on Your own behalf, and not on behalf
+     of any Contributor. You must make it absolutely clear that any such
+     warranty, support, indemnity, or liability obligation is offered by You
+     alone, and You hereby agree to indemnify every Contributor for any
+     liability incurred by such Contributor as a result of warranty, support,
+     indemnity or liability terms You offer. You may include additional
+     disclaimers of warranty and limitations of liability specific to any
+     jurisdiction.
+
+4. Inability to Comply Due to Statute or Regulation
+
+   If it is impossible for You to comply with any of the terms of this License
+   with respect to some or all of the Covered Software due to statute, judicial
+   order, or regulation then You must: (a) comply with the terms of this License
+   to the maximum extent possible; and (b) describe the limitations and the code
+   they affect. Such description must be placed in a text file included with all
+   distributions of the Covered Software under this License. Except to the
+   extent prohibited by statute or regulation, such description must be
+   sufficiently detailed for a recipient of ordinary skill to be able to
+   understand it.
+
+5. Termination
+
+5.1. The rights granted under this License will terminate automatically if You
+     fail to comply with any of its terms. However, if You become compliant,
+     then the rights granted under this License from a particular Contributor
+     are reinstated (a) provisionally, unless and until such Contributor
+     explicitly and finally terminates Your grants, and (b) on an ongoing basis,
+     if such Contributor fails to notify You of the non-compliance by some
+     reasonable means prior to 60 days after You have come back into compliance.
+     Moreover, Your grants from a particular Contributor are reinstated on an
+     ongoing basis if such Contributor notifies You of the non-compliance by
+     some reasonable means, this is the first time You have received notice of
+     non-compliance with this License from such Contributor, and You become
+     compliant prior to 30 days after Your receipt of the notice.
+
+5.2. If You initiate litigation against any entity by asserting a patent
+     infringement claim (excluding declaratory judgment actions, counter-claims,
+     and cross-claims) alleging that a Contributor Version directly or
+     indirectly infringes any patent, then the rights granted to You by any and
+     all Contributors for the Covered Software under Section 2.1 of this License
+     shall terminate.
+
+5.3. In the event of termination under Sections 5.1 or 5.2 above, all end user
+     license agreements (excluding distributors and resellers) which have been
+     validly granted by You or Your distributors under this License prior to
+     termination shall survive termination.
+
+6. Disclaimer of Warranty
+
+   Covered Software is provided under this License on an “as is” basis, without
+   warranty of any kind, either expressed, implied, or statutory, including,
+   without limitation, warranties that the Covered Software is free of defects,
+   merchantable, fit for a particular purpose or non-infringing. The entire
+   risk as to the quality and performance of the Covered Software is with You.
+   Should any Covered Software prove defective in any respect, You (not any
+   Contributor) assume the cost of any necessary servicing, repair, or
+   correction. This disclaimer of warranty constitutes an essential part of this
+   License. No use of  any Covered Software is authorized under this License
+   except under this disclaimer.
+
+7. Limitation of Liability
+
+   Under no circumstances and under no legal theory, whether tort (including
+   negligence), contract, or otherwise, shall any Contributor, or anyone who
+   distributes Covered Software as permitted above, be liable to You for any
+   direct, indirect, special, incidental, or consequential damages of any
+   character including, without limitation, damages for lost profits, loss of
+   goodwill, work stoppage, computer failure or malfunction, or any and all
+   other commercial damages or losses, even if such party shall have been
+   informed of the possibility of such damages. This limitation of liability
+   shall not apply to liability for death or personal injury resulting from such
+   party’s negligence to the extent applicable law prohibits such limitation.
+   Some jurisdictions do not allow the exclusion or limitation of incidental or
+   consequential damages, so this exclusion and limitation may not apply to You.
+
+8. Litigation
+
+   Any litigation relating to this License may be brought only in the courts of
+   a jurisdiction where the defendant maintains its principal place of business
+   and such litigation shall be governed by laws of that jurisdiction, without
+   reference to its conflict-of-law provisions. Nothing in this Section shall
+   prevent a party’s ability to bring cross-claims or counter-claims.
+
+9. Miscellaneous
+
+   This License represents the complete agreement concerning the subject matter
+   hereof. If any provision of this License is held to be unenforceable, such
+   provision shall be reformed only to the extent necessary to make it
+   enforceable. Any law or regulation which provides that the language of a
+   contract shall be construed against the drafter shall not be used to construe
+   this License against a Contributor.
+
+
+10. Versions of the License
+
+10.1. New Versions
+
+      Mozilla Foundation is the license steward. Except as provided in Section
+      10.3, no one other than the license steward has the right to modify or
+      publish new versions of this License. Each version will be given a
+      distinguishing version number.
+
+10.2. Effect of New Versions
+
+      You may distribute the Covered Software under the terms of the version of
+      the License under which You originally received the Covered Software, or
+      under the terms of any subsequent version published by the license
+      steward.
+
+10.3. Modified Versions
+
+      If you create software not governed by this License, and you want to
+      create a new license for such software, you may create and use a modified
+      version of this License if you rename the license and remove any
+      references to the name of the license steward (except to note that such
+      modified license differs from this License).
+
+10.4. Distributing Source Code Form that is Incompatible With Secondary Licenses
+      If You choose to distribute Source Code Form that is Incompatible With
+      Secondary Licenses under the terms of this version of the License, the
+      notice described in Exhibit B of this License must be attached.
+
+Exhibit A - Source Code Form License Notice
+
+      This Source Code Form is subject to the
+      terms of the Mozilla Public License, v.
+      2.0. If a copy of the MPL was not
+      distributed with this file, You can
+      obtain one at
+      http://mozilla.org/MPL/2.0/.
+
+If it is not possible or desirable to put the notice in a particular file, then
+You may include the notice in a location (such as a LICENSE file in a relevant
+directory) where a recipient would be likely to look for such a notice.
+
+You may add additional accurate notices of copyright ownership.
+
+Exhibit B - “Incompatible With Secondary Licenses” Notice
+
+      This Source Code Form is “Incompatible
+      With Secondary Licenses”, as defined by
+      the Mozilla Public License, v. 2.0.
+

vendor/github.com/hashicorp/go-cty-funcs/cidr/host.go

@@ -0,0 +1,49 @@
+package cidr
+
+import (
+	"fmt"
+	"net"
+
+	"github.com/apparentlymart/go-cidr/cidr"
+	"github.com/zclconf/go-cty/cty"
+	"github.com/zclconf/go-cty/cty/function"
+	"github.com/zclconf/go-cty/cty/gocty"
+)
+
+// HostFunc is a function that calculates a full host IP address within a given
+// IP network address prefix.
+var HostFunc = function.New(&function.Spec{
+	Params: []function.Parameter{
+		{
+			Name: "prefix",
+			Type: cty.String,
+		},
+		{
+			Name: "hostnum",
+			Type: cty.Number,
+		},
+	},
+	Type: function.StaticReturnType(cty.String),
+	Impl: func(args []cty.Value, retType cty.Type) (ret cty.Value, err error) {
+		var hostNum int
+		if err := gocty.FromCtyValue(args[1], &hostNum); err != nil {
+			return cty.UnknownVal(cty.String), err
+		}
+		_, network, err := net.ParseCIDR(args[0].AsString())
+		if err != nil {
+			return cty.UnknownVal(cty.String), fmt.Errorf("invalid CIDR expression: %s", err)
+		}
+
+		ip, err := cidr.Host(network, hostNum)
+		if err != nil {
+			return cty.UnknownVal(cty.String), err
+		}
+
+		return cty.StringVal(ip.String()), nil
+	},
+})
+
+// Host calculates a full host IP address within a given IP network address prefix.
+func Host(prefix, hostnum cty.Value) (cty.Value, error) {
+	return HostFunc.Call([]cty.Value{prefix, hostnum})
+}

vendor/github.com/hashicorp/go-cty-funcs/cidr/netmask.go

@@ -0,0 +1,34 @@
+package cidr
+
+import (
+	"fmt"
+	"net"
+
+	"github.com/zclconf/go-cty/cty"
+	"github.com/zclconf/go-cty/cty/function"
+)
+
+// NetmaskFunc is a function that converts an IPv4 address prefix given in CIDR
+// notation into a subnet mask address.
+var NetmaskFunc = function.New(&function.Spec{
+	Params: []function.Parameter{
+		{
+			Name: "prefix",
+			Type: cty.String,
+		},
+	},
+	Type: function.StaticReturnType(cty.String),
+	Impl: func(args []cty.Value, retType cty.Type) (ret cty.Value, err error) {
+		_, network, err := net.ParseCIDR(args[0].AsString())
+		if err != nil {
+			return cty.UnknownVal(cty.String), fmt.Errorf("invalid CIDR expression: %s", err)
+		}
+
+		return cty.StringVal(net.IP(network.Mask).String()), nil
+	},
+})
+
+// Netmask converts an IPv4 address prefix given in CIDR notation into a subnet mask address.
+func Netmask(prefix cty.Value) (cty.Value, error) {
+	return NetmaskFunc.Call([]cty.Value{prefix})
+}

vendor/github.com/hashicorp/go-cty-funcs/cidr/subnet.go

@@ -0,0 +1,66 @@
+package cidr
+
+import (
+	"fmt"
+	"net"
+
+	"github.com/apparentlymart/go-cidr/cidr"
+	"github.com/zclconf/go-cty/cty"
+	"github.com/zclconf/go-cty/cty/function"
+	"github.com/zclconf/go-cty/cty/gocty"
+)
+
+// SubnetFunc is a function that calculates a subnet address within a given
+// IP network address prefix.
+var SubnetFunc = function.New(&function.Spec{
+	Params: []function.Parameter{
+		{
+			Name: "prefix",
+			Type: cty.String,
+		},
+		{
+			Name: "newbits",
+			Type: cty.Number,
+		},
+		{
+			Name: "netnum",
+			Type: cty.Number,
+		},
+	},
+	Type: function.StaticReturnType(cty.String),
+	Impl: func(args []cty.Value, retType cty.Type) (ret cty.Value, err error) {
+		var newbits int
+		if err := gocty.FromCtyValue(args[1], &newbits); err != nil {
+			return cty.UnknownVal(cty.String), err
+		}
+		var netnum int
+		if err := gocty.FromCtyValue(args[2], &netnum); err != nil {
+			return cty.UnknownVal(cty.String), err
+		}
+
+		_, network, err := net.ParseCIDR(args[0].AsString())
+		if err != nil {
+			return cty.UnknownVal(cty.String), fmt.Errorf("invalid CIDR expression: %s", err)
+		}
+
+		// For portability with 32-bit systems where the subnet number will be
+		// a 32-bit int, we only allow extension of 32 bits in one call even if
+		// we're running on a 64-bit machine. (Of course, this is significant
+		// only for IPv6.)
+		if newbits > 32 {
+			return cty.UnknownVal(cty.String), fmt.Errorf("may not extend prefix by more than 32 bits")
+		}
+
+		newNetwork, err := cidr.Subnet(network, newbits, netnum)
+		if err != nil {
+			return cty.UnknownVal(cty.String), err
+		}
+
+		return cty.StringVal(newNetwork.String()), nil
+	},
+})
+
+// Subnet calculates a subnet address within a given IP network address prefix.
+func Subnet(prefix, newbits, netnum cty.Value) (cty.Value, error) {
+	return SubnetFunc.Call([]cty.Value{prefix, newbits, netnum})
+}

vendor/github.com/hashicorp/go-cty-funcs/cidr/subnets.go

@@ -0,0 +1,99 @@
+package cidr
+
+import (
+	"net"
+
+	"github.com/apparentlymart/go-cidr/cidr"
+	"github.com/zclconf/go-cty/cty"
+	"github.com/zclconf/go-cty/cty/function"
+	"github.com/zclconf/go-cty/cty/gocty"
+)
+
+// SubnetsFunc is similar to SubnetFunc but calculates many consecutive subnet
+// addresses at once, rather than just a single subnet extension.
+var SubnetsFunc = function.New(&function.Spec{
+	Params: []function.Parameter{
+		{
+			Name: "prefix",
+			Type: cty.String,
+		},
+	},
+	VarParam: &function.Parameter{
+		Name: "newbits",
+		Type: cty.Number,
+	},
+	Type: function.StaticReturnType(cty.List(cty.String)),
+	Impl: func(args []cty.Value, retType cty.Type) (ret cty.Value, err error) {
+		_, network, err := net.ParseCIDR(args[0].AsString())
+		if err != nil {
+			return cty.UnknownVal(cty.String), function.NewArgErrorf(0, "invalid CIDR expression: %s", err)
+		}
+		startPrefixLen, _ := network.Mask.Size()
+
+		prefixLengthArgs := args[1:]
+		if len(prefixLengthArgs) == 0 {
+			return cty.ListValEmpty(cty.String), nil
+		}
+
+		var firstLength int
+		if err := gocty.FromCtyValue(prefixLengthArgs[0], &firstLength); err != nil {
+			return cty.UnknownVal(cty.String), function.NewArgError(1, err)
+		}
+		firstLength += startPrefixLen
+
+		retVals := make([]cty.Value, len(prefixLengthArgs))
+
+		current, _ := cidr.PreviousSubnet(network, firstLength)
+		for i, lengthArg := range prefixLengthArgs {
+			var length int
+			if err := gocty.FromCtyValue(lengthArg, &length); err != nil {
+				return cty.UnknownVal(cty.String), function.NewArgError(i+1, err)
+			}
+
+			if length < 1 {
+				return cty.UnknownVal(cty.String), function.NewArgErrorf(i+1, "must extend prefix by at least one bit")
+			}
+			// For portability with 32-bit systems where the subnet number
+			// will be a 32-bit int, we only allow extension of 32 bits in
+			// one call even if we're running on a 64-bit machine.
+			// (Of course, this is significant only for IPv6.)
+			if length > 32 {
+				return cty.UnknownVal(cty.String), function.NewArgErrorf(i+1, "may not extend prefix by more than 32 bits")
+			}
+			length += startPrefixLen
+			if length > (len(network.IP) * 8) {
+				protocol := "IP"
+				switch len(network.IP) * 8 {
+				case 32:
+					protocol = "IPv4"
+				case 128:
+					protocol = "IPv6"
+				}
+				return cty.UnknownVal(cty.String), function.NewArgErrorf(i+1, "would extend prefix to %d bits, which is too long for an %s address", length, protocol)
+			}
+
+			next, rollover := cidr.NextSubnet(current, length)
+			if rollover || !network.Contains(next.IP) {
+				// If we run out of suffix bits in the base CIDR prefix then
+				// NextSubnet will start incrementing the prefix bits, which
+				// we don't allow because it would then allocate addresses
+				// outside of the caller's given prefix.
+				return cty.UnknownVal(cty.String), function.NewArgErrorf(i+1, "not enough remaining address space for a subnet with a prefix of %d bits after %s", length, current.String())
+			}
+
+			current = next
+			retVals[i] = cty.StringVal(current.String())
+		}
+
+		return cty.ListVal(retVals), nil
+	},
+})
+
+// Subnets calculates a sequence of consecutive subnet prefixes that may be of
+// different prefix lengths under a common base prefix.
+func Subnets(prefix cty.Value, newbits ...cty.Value) (cty.Value, error) {
+	args := make([]cty.Value, len(newbits)+1)
+	args[0] = prefix
+	copy(args[1:], newbits)
+	return SubnetsFunc.Call(args)
+}

vendor/github.com/hashicorp/go-cty-funcs/crypto/bcrypt.go

@@ -0,0 +1,59 @@
+package crypto
+
+import (
+	"fmt"
+
+	"github.com/zclconf/go-cty/cty"
+	"github.com/zclconf/go-cty/cty/function"
+	"github.com/zclconf/go-cty/cty/gocty"
+	"golang.org/x/crypto/bcrypt"
+)
+
+// BcryptFunc is a function that computes a hash of the given string using the
+// Blowfish cipher.
+var BcryptFunc = function.New(&function.Spec{
+	Params: []function.Parameter{
+		{
+			Name: "str",
+			Type: cty.String,
+		},
+	},
+	VarParam: &function.Parameter{
+		Name: "cost",
+		Type: cty.Number,
+	},
+	Type: function.StaticReturnType(cty.String),
+	Impl: func(args []cty.Value, retType cty.Type) (ret cty.Value, err error) {
+		defaultCost := 10
+
+		if len(args) > 1 {
+			var val int
+			if err := gocty.FromCtyValue(args[1], &val); err != nil {
+				return cty.UnknownVal(cty.String), err
+			}
+			defaultCost = val
+		}
+
+		if len(args) > 2 {
+			return cty.UnknownVal(cty.String), fmt.Errorf("bcrypt() takes no more than two arguments")
+		}
+
+		input := args[0].AsString()
+		out, err := bcrypt.GenerateFromPassword([]byte(input), defaultCost)
+		if err != nil {
+			return cty.UnknownVal(cty.String), fmt.Errorf("error occured generating password %s", err.Error())
+		}
+
+		return cty.StringVal(string(out)), nil
+	},
+})
+
+// Bcrypt computes a hash of the given string using the Blowfish cipher,
+// returning a string in the Modular Crypt Format usually expected in the
+// shadow password file on many Unix systems.
+func Bcrypt(str cty.Value, cost ...cty.Value) (cty.Value, error) {
+	args := make([]cty.Value, len(cost)+1)
+	args[0] = str
+	copy(args[1:], cost)
+	return BcryptFunc.Call(args)
+}

vendor/github.com/hashicorp/go-cty-funcs/crypto/hash.go

@@ -0,0 +1,27 @@
+package crypto
+
+import (
+	"hash"
+
+	"github.com/zclconf/go-cty/cty"
+	"github.com/zclconf/go-cty/cty/function"
+)
+
+func makeStringHashFunction(hf func() hash.Hash, enc func([]byte) string) function.Function {
+	return function.New(&function.Spec{
+		Params: []function.Parameter{
+			{
+				Name: "str",
+				Type: cty.String,
+			},
+		},
+		Type: function.StaticReturnType(cty.String),
+		Impl: func(args []cty.Value, retType cty.Type) (ret cty.Value, err error) {
+			s := args[0].AsString()
+			h := hf()
+			h.Write([]byte(s))
+			rv := enc(h.Sum(nil))
+			return cty.StringVal(rv), nil
+		},
+	})
+}

vendor/github.com/hashicorp/go-cty-funcs/crypto/md5.go

@@ -0,0 +1,18 @@
+package crypto
+
+import (
+	"crypto/md5"
+	"encoding/hex"
+
+	"github.com/zclconf/go-cty/cty"
+)
+
+// Md5Func is a function that computes the MD5 hash of a given string and
+// encodes it with hexadecimal digits.
+var Md5Func = makeStringHashFunction(md5.New, hex.EncodeToString)
+
+// Md5 computes the MD5 hash of a given string and encodes it with hexadecimal
+// digits.
+func Md5(str cty.Value) (cty.Value, error) {
+	return Md5Func.Call([]cty.Value{str})
+}

vendor/github.com/hashicorp/go-cty-funcs/crypto/rsa.go

@@ -0,0 +1,64 @@
+package crypto
+
+import (
+	"crypto/rsa"
+	"crypto/x509"
+	"encoding/base64"
+	"encoding/pem"
+	"fmt"
+
+	"github.com/zclconf/go-cty/cty"
+	"github.com/zclconf/go-cty/cty/function"
+)
+
+// RsaDecryptFunc is a function that decrypts an RSA-encrypted ciphertext.
+var RsaDecryptFunc = function.New(&function.Spec{
+	Params: []function.Parameter{
+		{
+			Name: "ciphertext",
+			Type: cty.String,
+		},
+		{
+			Name: "privatekey",
+			Type: cty.String,
+		},
+	},
+	Type: function.StaticReturnType(cty.String),
+	Impl: func(args []cty.Value, retType cty.Type) (ret cty.Value, err error) {
+		s := args[0].AsString()
+		key := args[1].AsString()
+
+		b, err := base64.StdEncoding.DecodeString(s)
+		if err != nil {
+			return cty.UnknownVal(cty.String), fmt.Errorf("failed to decode input %q: cipher text must be base64-encoded", s)
+		}
+
+		block, _ := pem.Decode([]byte(key))
+		if block == nil {
+			return cty.UnknownVal(cty.String), fmt.Errorf("failed to parse key: no key found")
+		}
+		if block.Headers["Proc-Type"] == "4,ENCRYPTED" {
+			return cty.UnknownVal(cty.String), fmt.Errorf(
+				"failed to parse key: password protected keys are not supported. Please decrypt the key prior to use",
+			)
+		}
+
+		x509Key, err := x509.ParsePKCS1PrivateKey(block.Bytes)
+		if err != nil {
+			return cty.UnknownVal(cty.String), err
+		}
+
+		out, err := rsa.DecryptPKCS1v15(nil, x509Key, b)
+		if err != nil {
+			return cty.UnknownVal(cty.String), err
+		}
+
+		return cty.StringVal(string(out)), nil
+	},
+})
+
+// RsaDecrypt decrypts an RSA-encrypted ciphertext, returning the corresponding
+// cleartext.
+func RsaDecrypt(ciphertext, privatekey cty.Value) (cty.Value, error) {
+	return RsaDecryptFunc.Call([]cty.Value{ciphertext, privatekey})
+}

vendor/github.com/hashicorp/go-cty-funcs/crypto/sha.go

@@ -0,0 +1,40 @@
+package crypto
+
+import (
+	"crypto/sha1"
+	"crypto/sha256"
+	"crypto/sha512"
+	"encoding/hex"
+
+	"github.com/zclconf/go-cty/cty"
+)
+
+// Sha1Func is a function that computes the SHA1 hash of a given string and
+// encodes it with hexadecimal digits.
+var Sha1Func = makeStringHashFunction(sha1.New, hex.EncodeToString)
+
+// Sha256Func is a function that computes the SHA256 hash of a given string and
+// encodes it with hexadecimal digits.
+var Sha256Func = makeStringHashFunction(sha256.New, hex.EncodeToString)
+
+// Sha512Func is a function that computes the SHA512 hash of a given string and
+// encodes it with hexadecimal digits.
+var Sha512Func = makeStringHashFunction(sha512.New, hex.EncodeToString)
+
+// Sha1 computes the SHA1 hash of a given string and encodes it with
+// hexadecimal digits.
+func Sha1(str cty.Value) (cty.Value, error) {
+	return Sha1Func.Call([]cty.Value{str})
+}
+
+// Sha256 computes the SHA256 hash of a given string and encodes it with
+// hexadecimal digits.
+func Sha256(str cty.Value) (cty.Value, error) {
+	return Sha256Func.Call([]cty.Value{str})
+}
+
+// Sha512 computes the SHA512 hash of a given string and encodes it with
+// hexadecimal digits.
+func Sha512(str cty.Value) (cty.Value, error) {
+	return Sha512Func.Call([]cty.Value{str})
+}

vendor/github.com/hashicorp/go-cty-funcs/encoding/base64.go

@@ -0,0 +1,71 @@
+package encoding
+
+import (
+	"encoding/base64"
+	"fmt"
+	"log"
+	"unicode/utf8"
+
+	"github.com/zclconf/go-cty/cty"
+	"github.com/zclconf/go-cty/cty/function"
+)
+
+// Base64DecodeFunc is a function that decodes a string containing a base64 sequence.
+var Base64DecodeFunc = function.New(&function.Spec{
+	Params: []function.Parameter{
+		{
+			Name: "str",
+			Type: cty.String,
+		},
+	},
+	Type: function.StaticReturnType(cty.String),
+	Impl: func(args []cty.Value, retType cty.Type) (cty.Value, error) {
+		s := args[0].AsString()
+		sDec, err := base64.StdEncoding.DecodeString(s)
+		if err != nil {
+			return cty.UnknownVal(cty.String), fmt.Errorf("failed to decode base64 data '%s'", s)
+		}
+		if !utf8.Valid([]byte(sDec)) {
+			log.Printf("[DEBUG] the result of decoding the the provided string is not valid UTF-8: %s", sDec)
+			return cty.UnknownVal(cty.String), fmt.Errorf("the result of decoding the the provided string is not valid UTF-8")
+		}
+		return cty.StringVal(string(sDec)), nil
+	},
+})
+
+// Base64EncodeFunc is a function that encodes a string to a base64 sequence.
+var Base64EncodeFunc = function.New(&function.Spec{
+	Params: []function.Parameter{
+		{
+			Name: "str",
+			Type: cty.String,
+		},
+	},
+	Type: function.StaticReturnType(cty.String),
+	Impl: func(args []cty.Value, retType cty.Type) (cty.Value, error) {
+		return cty.StringVal(base64.StdEncoding.EncodeToString([]byte(args[0].AsString()))), nil
+	},
+})
+
+// Base64Decode decodes a string containing a base64 sequence.
+//
+// Terraform uses the "standard" Base64 alphabet as defined in RFC 4648 section 4.
+//
+// Strings in the Terraform language are sequences of unicode characters rather
+// than bytes, so this function will also interpret the resulting bytes as
+// UTF-8. If the bytes after Base64 decoding are _not_ valid UTF-8, this function
+// produces an error.
+func Base64Decode(str cty.Value) (cty.Value, error) {
+	return Base64DecodeFunc.Call([]cty.Value{str})
+}
+
+// Base64Encode applies Base64 encoding to a string.
+//
+// Terraform uses the "standard" Base64 alphabet as defined in RFC 4648 section 4.
+//
+// Strings in the Terraform language are sequences of unicode characters rather
+// than bytes, so this function will first encode the characters from the string
+// as UTF-8, and then apply Base64 encoding to the result.
+func Base64Encode(str cty.Value) (cty.Value, error) {
+	return Base64EncodeFunc.Call([]cty.Value{str})
+}

vendor/github.com/hashicorp/go-cty-funcs/encoding/url.go

@@ -0,0 +1,34 @@
+package encoding
+
+import (
+	"net/url"
+
+	"github.com/zclconf/go-cty/cty"
+	"github.com/zclconf/go-cty/cty/function"
+)
+
+// URLEncodeFunc is a function that applies URL encoding to a given string.
+var URLEncodeFunc = function.New(&function.Spec{
+	Params: []function.Parameter{
+		{
+			Name: "str",
+			Type: cty.String,
+		},
+	},
+	Type: function.StaticReturnType(cty.String),
+	Impl: func(args []cty.Value, retType cty.Type) (cty.Value, error) {
+		return cty.StringVal(url.QueryEscape(args[0].AsString())), nil
+	},
+})
+
+// URLEncode applies URL encoding to a given string.
+//
+// This function identifies characters in the given string that would have a
+// special meaning when included as a query string argument in a URL and
+// escapes them using RFC 3986 "percent encoding".
+//
+// If the given string contains non-ASCII characters, these are first encoded as
+// UTF-8 and then percent encoding is applied separately to each UTF-8 byte.
+func URLEncode(str cty.Value) (cty.Value, error) {
+	return URLEncodeFunc.Call([]cty.Value{str})
+}

vendor/github.com/hashicorp/go-cty-funcs/uuid/uuid_v4.go

@@ -0,0 +1,28 @@
+package uuid
+
+import (
+	"github.com/google/uuid"
+	"github.com/zclconf/go-cty/cty"
+	"github.com/zclconf/go-cty/cty/function"
+)
+
+var V4Func = function.New(&function.Spec{
+	Params: []function.Parameter{},
+	Type:   function.StaticReturnType(cty.String),
+	Impl: func(args []cty.Value, retType cty.Type) (ret cty.Value, err error) {
+		uuid, err := uuid.NewRandom()
+		if err != nil {
+			return cty.UnknownVal(cty.String), err
+		}
+		return cty.StringVal(uuid.String()), nil
+	},
+})
+
+// V4 generates and returns a Type-4 UUID in the standard hexadecimal string
+// format.
+//
+// This is not a "pure" function: it will generate a different result for each
+// call.
+func V4() (cty.Value, error) {
+	return V4Func.Call(nil)
+}

vendor/github.com/hashicorp/go-cty-funcs/uuid/uuid_v5.go

@@ -0,0 +1,51 @@
+package uuid
+
+import (
+	"fmt"
+
+	uuidv5 "github.com/google/uuid"
+	"github.com/zclconf/go-cty/cty"
+	"github.com/zclconf/go-cty/cty/function"
+)
+
+var V5Func = function.New(&function.Spec{
+	Params: []function.Parameter{
+		{
+			Name: "namespace",
+			Type: cty.String,
+		},
+		{
+			Name: "name",
+			Type: cty.String,
+		},
+	},
+	Type: function.StaticReturnType(cty.String),
+	Impl: func(args []cty.Value, retType cty.Type) (ret cty.Value, err error) {
+		var namespace uuidv5.UUID
+		switch {
+		case args[0].AsString() == "dns":
+			namespace = uuidv5.NameSpaceDNS
+		case args[0].AsString() == "url":
+			namespace = uuidv5.NameSpaceURL
+		case args[0].AsString() == "oid":
+			namespace = uuidv5.NameSpaceOID
+		case args[0].AsString() == "x500":
+			namespace = uuidv5.NameSpaceX500
+		default:
+			if namespace, err = uuidv5.Parse(args[0].AsString()); err != nil {
+				return cty.UnknownVal(cty.String), fmt.Errorf("uuidv5() doesn't support namespace %s (%v)", args[0].AsString(), err)
+			}
+		}
+		val := args[1].AsString()
+		return cty.StringVal(uuidv5.NewSHA1(namespace, []byte(val)).String()), nil
+	},
+})
+
+// V5 generates and returns a Type-5 UUID in the standard hexadecimal
+// string format.
+//
+// This is not a "pure" function: it will generate a different result for each
+// call.
+func V5(namespace cty.Value, name cty.Value) (cty.Value, error) {
+	return V5Func.Call([]cty.Value{namespace, name})
+}

vendor/github.com/hashicorp/hcl/v2/CHANGELOG.md

@@ -1,5 +1,52 @@
 # HCL Changelog
 
+## v2.8.1 (Unreleased)
+ 
+### Bugs Fixed
+
+* hclsyntax: Fix panic when expanding marked function arguments. ([#429](https://github.com/hashicorp/hcl/pull/429))
+* hclsyntax: Error when attempting to use a marked value as an object key. ([#434](https://github.com/hashicorp/hcl/pull/434))
+* hclsyntax: Error when attempting to use a marked value as an object key in expressions. ([#433](https://github.com/hashicorp/hcl/pull/433))
+
+## v2.8.0 (December 7, 2020)
+
+### Enhancements
+
+* hclsyntax: Expression grouping parentheses will now be reflected by an explicit node in the AST, whereas before they were only considered during parsing. ([#426](https://github.com/hashicorp/hcl/pull/426))
+
+### Bugs Fixed
+
+* hclwrite: The parser will now correctly include the `(` and `)` tokens when an expression is surrounded by parentheses. Previously it would incorrectly recognize those tokens as being extraneous tokens outside of the expression. ([#426](https://github.com/hashicorp/hcl/pull/426))
+* hclwrite: The formatter will now remove (rather than insert) spaces between the `!` (unary boolean "not") operator and its subsequent operand. ([#403](https://github.com/hashicorp/hcl/pull/403))
+* hclsyntax: Unmark conditional values in expressions before checking their truthfulness ([#427](https://github.com/hashicorp/hcl/pull/427))
+
+## v2.7.2 (November 30, 2020)
+
+### Bugs Fixed
+
+* gohcl: Fix panic when decoding into type containing value slices. ([#335](https://github.com/hashicorp/hcl/pull/335))
+* hclsyntax: The unusual expression `null[*]` was previously always returning an unknown value, even though the rules for `[*]` normally call for it to return an empty tuple when applied to a null. As well as being a surprising result, it was particularly problematic because it violated the rule that a calling application may assume that an expression result will always be known unless the application itself introduces unknown values via the evaluation context. `null[*]` will now produce an empty tuple. ([#416](https://github.com/hashicorp/hcl/pull/416))
+* hclsyntax: Fix panic when traversing a list, tuple, or map with cty "marks" ([#424](https://github.com/hashicorp/hcl/pull/424))
+
+## v2.7.1 (November 18, 2020)
+
+### Bugs Fixed
+
+* hclwrite: Correctly handle blank quoted string block labels, instead of dropping them ([#422](https://github.com/hashicorp/hcl/pull/422))
+
+## v2.7.0 (October 14, 2020)
+
+### Enhancements
+
+* json: There is a new function `ParseWithStartPos`, which allows overriding the starting position for parsing in case the given JSON bytes are a fragment of a larger document, such as might happen when decoding with `encoding/json` into a `json.RawMessage`. ([#389](https://github.com/hashicorp/hcl/pull/389))
+* json: There is a new function `ParseExpression`, which allows parsing a JSON string directly in expression mode, whereas previously it was only possible to parse a JSON string in body mode. ([#381](https://github.com/hashicorp/hcl/pull/381))
+* hclwrite: `Block` type now supports `SetType` and `SetLabels`, allowing surgical changes to the type and labels of an existing block without having to reconstruct the entire block. ([#340](https://github.com/hashicorp/hcl/pull/340))
+
+### Bugs Fixed
+
+* hclsyntax: Fix confusing error message for bitwise OR operator ([#380](https://github.com/hashicorp/hcl/pull/380))
+* hclsyntax: Several bug fixes for using HCL with values containing cty "marks" ([#404](https://github.com/hashicorp/hcl/pull/404), [#406](https://github.com/hashicorp/hcl/pull/404), [#407](https://github.com/hashicorp/hcl/pull/404))
+
 ## v2.6.0 (June 4, 2020)
 
 ### Enhancements

vendor/github.com/hashicorp/hcl/v2/README.md

@@ -33,11 +33,25 @@ package main
 
 import (
 	"log"
+
 	"github.com/hashicorp/hcl/v2/hclsimple"
 )
 
 type Config struct {
-	LogLevel string `hcl:"log_level"`
+	IOMode  string        `hcl:"io_mode"`
+	Service ServiceConfig `hcl:"service,block"`
+}
+
+type ServiceConfig struct {
+	Protocol   string          `hcl:"protocol,label"`
+	Type       string          `hcl:"type,label"`
+	ListenAddr string          `hcl:"listen_addr"`
+	Processes  []ProcessConfig `hcl:"process,block"`
+}
+
+type ProcessConfig struct {
+	Type    string   `hcl:"type,label"`
+	Command []string `hcl:"command"`
 }
 
 func main() {

vendor/github.com/hashicorp/hcl/v2/appveyor.yml

@@ -1,13 +0,0 @@
-build: off
-
-clone_folder: c:\gopath\src\github.com\hashicorp\hcl
-
-environment:
-  GOPATH: c:\gopath
-  GO111MODULE: on
-  GOPROXY: https://goproxy.io
-
-stack: go 1.12
-
-test_script:
-  - go test ./...

vendor/github.com/hashicorp/hcl/v2/ext/tryfunc/README.md

@@ -0,0 +1,44 @@
+# "Try" and "can" functions
+
+This Go package contains two `cty` functions intended for use in an
+`hcl.EvalContext` when evaluating HCL native syntax expressions.
+
+The first function `try` attempts to evaluate each of its argument expressions
+in order until one produces a result without any errors.
+
+```hcl
+try(non_existent_variable, 2) # returns 2
+```
+
+If none of the expressions succeed, the function call fails with all of the
+errors it encountered.
+
+The second function `can` is similar except that it ignores the result of
+the given expression altogether and simply returns `true` if the expression
+produced a successful result or `false` if it produced errors.
+
+Both of these are primarily intended for working with deep data structures
+which might not have a dependable shape. For example, we can use `try` to
+attempt to fetch a value from deep inside a data structure but produce a
+default value if any step of the traversal fails:
+
+```hcl
+result = try(foo.deep[0].lots.of["traversals"], null)
+```
+
+The final result to `try` should generally be some sort of constant value that
+will always evaluate successfully.
+
+## Using these functions
+
+Languages built on HCL can make `try` and `can` available to user code by
+exporting them in the `hcl.EvalContext` used for expression evaluation:
+
+```go
+ctx := &hcl.EvalContext{
+    Functions: map[string]function.Function{
+        "try": tryfunc.TryFunc,
+        "can": tryfunc.CanFunc,
+    },
+}
+```

vendor/github.com/hashicorp/hcl/v2/ext/tryfunc/tryfunc.go

@@ -0,0 +1,150 @@
+// Package tryfunc contains some optional functions that can be exposed in
+// HCL-based languages to allow authors to test whether a particular expression
+// can succeed and take dynamic action based on that result.
+//
+// These functions are implemented in terms of the customdecode extension from
+// the sibling directory "customdecode", and so they are only useful when
+// used within an HCL EvalContext. Other systems using cty functions are
+// unlikely to support the HCL-specific "customdecode" extension.
+package tryfunc
+
+import (
+	"errors"
+	"fmt"
+	"strings"
+
+	"github.com/hashicorp/hcl/v2"
+	"github.com/hashicorp/hcl/v2/ext/customdecode"
+	"github.com/zclconf/go-cty/cty"
+	"github.com/zclconf/go-cty/cty/function"
+)
+
+// TryFunc is a variadic function that tries to evaluate all of is arguments
+// in sequence until one succeeds, in which case it returns that result, or
+// returns an error if none of them succeed.
+var TryFunc function.Function
+
+// CanFunc tries to evaluate the expression given in its first argument.
+var CanFunc function.Function
+
+func init() {
+	TryFunc = function.New(&function.Spec{
+		VarParam: &function.Parameter{
+			Name: "expressions",
+			Type: customdecode.ExpressionClosureType,
+		},
+		Type: func(args []cty.Value) (cty.Type, error) {
+			v, err := try(args)
+			if err != nil {
+				return cty.NilType, err
+			}
+			return v.Type(), nil
+		},
+		Impl: func(args []cty.Value, retType cty.Type) (cty.Value, error) {
+			return try(args)
+		},
+	})
+	CanFunc = function.New(&function.Spec{
+		Params: []function.Parameter{
+			{
+				Name: "expression",
+				Type: customdecode.ExpressionClosureType,
+			},
+		},
+		Type: function.StaticReturnType(cty.Bool),
+		Impl: func(args []cty.Value, retType cty.Type) (cty.Value, error) {
+			return can(args[0])
+		},
+	})
+}
+
+func try(args []cty.Value) (cty.Value, error) {
+	if len(args) == 0 {
+		return cty.NilVal, errors.New("at least one argument is required")
+	}
+
+	// We'll collect up all of the diagnostics we encounter along the way
+	// and report them all if none of the expressions succeed, so that the
+	// user might get some hints on how to make at least one succeed.
+	var diags hcl.Diagnostics
+	for _, arg := range args {
+		closure := customdecode.ExpressionClosureFromVal(arg)
+		if dependsOnUnknowns(closure.Expression, closure.EvalContext) {
+			// We can't safely decide if this expression will succeed yet,
+			// and so our entire result must be unknown until we have
+			// more information.
+			return cty.DynamicVal, nil
+		}
+
+		v, moreDiags := closure.Value()
+		diags = append(diags, moreDiags...)
+		if moreDiags.HasErrors() {
+			continue // try the next one, if there is one to try
+		}
+		return v, nil // ignore any accumulated diagnostics if one succeeds
+	}
+
+	// If we fall out here then none of the expressions succeeded, and so
+	// we must have at least one diagnostic and we'll return all of them
+	// so that the user can see the errors related to whichever one they
+	// were expecting to have succeeded in this case.
+	//
+	// Because our function must return a single error value rather than
+	// diagnostics, we'll construct a suitable error message string
+	// that will make sense in the context of the function call failure
+	// diagnostic HCL will eventually wrap this in.
+	var buf strings.Builder
+	buf.WriteString("no expression succeeded:\n")
+	for _, diag := range diags {
+		if diag.Subject != nil {
+			buf.WriteString(fmt.Sprintf("- %s (at %s)\n  %s\n", diag.Summary, diag.Subject, diag.Detail))
+		} else {
+			buf.WriteString(fmt.Sprintf("- %s\n  %s\n", diag.Summary, diag.Detail))
+		}
+	}
+	buf.WriteString("\nAt least one expression must produce a successful result")
+	return cty.NilVal, errors.New(buf.String())
+}
+
+func can(arg cty.Value) (cty.Value, error) {
+	closure := customdecode.ExpressionClosureFromVal(arg)
+	if dependsOnUnknowns(closure.Expression, closure.EvalContext) {
+		// Can't decide yet, then.
+		return cty.UnknownVal(cty.Bool), nil
+	}
+
+	_, diags := closure.Value()
+	if diags.HasErrors() {
+		return cty.False, nil
+	}
+	return cty.True, nil
+}
+
+// dependsOnUnknowns returns true if any of the variables that the given
+// expression might access are unknown values or contain unknown values.
+//
+// This is a conservative result that prefers to return true if there's any
+// chance that the expression might derive from an unknown value during its
+// evaluation; it is likely to produce false-positives for more complex
+// expressions involving deep data structures.
+func dependsOnUnknowns(expr hcl.Expression, ctx *hcl.EvalContext) bool {
+	for _, traversal := range expr.Variables() {
+		val, diags := traversal.TraverseAbs(ctx)
+		if diags.HasErrors() {
+			// If the traversal returned a definitive error then it must
+			// not traverse through any unknowns.
+			continue
+		}
+		if !val.IsWhollyKnown() {
+			// The value will be unknown if either it refers directly to
+			// an unknown value or if the traversal moves through an unknown
+			// collection. We're using IsWhollyKnown, so this also catches
+			// situations where the traversal refers to a compound data
+			// structure that contains any unknown values. That's important,
+			// because during evaluation the expression might evaluate more
+			// deeply into this structure and encounter the unknowns.
+			return true
+		}
+	}
+	return false
+}

vendor/github.com/hashicorp/hcl/v2/ext/typeexpr/README.md

@@ -0,0 +1,135 @@
+# HCL Type Expressions Extension
+
+This HCL extension defines a convention for describing HCL types using function
+call and variable reference syntax, allowing configuration formats to include
+type information provided by users.
+
+The type syntax is processed statically from a hcl.Expression, so it cannot
+use any of the usual language operators. This is similar to type expressions
+in statically-typed programming languages.
+
+```hcl
+variable "example" {
+  type = list(string)
+}
+```
+
+The extension is built using the `hcl.ExprAsKeyword` and `hcl.ExprCall`
+functions, and so it relies on the underlying syntax to define how "keyword"
+and "call" are interpreted. The above shows how they are interpreted in
+the HCL native syntax, while the following shows the same information
+expressed in JSON:
+
+```json
+{
+  "variable": {
+    "example": {
+      "type": "list(string)"
+    }
+  }
+}
+```
+
+Notice that since we have additional contextual information that we intend
+to allow only calls and keywords the JSON syntax is able to parse the given
+string directly as an expression, rather than as a template as would be
+the case for normal expression evaluation.
+
+For more information, see [the godoc reference](http://godoc.org/github.com/hashicorp/hcl/v2/ext/typeexpr).
+
+## Type Expression Syntax
+
+When expressed in the native syntax, the following expressions are permitted
+in a type expression:
+
+* `string` - string
+* `bool` - boolean
+* `number` - number
+* `any` - `cty.DynamicPseudoType` (in function `TypeConstraint` only)
+* `list(<type_expr>)` - list of the type given as an argument
+* `set(<type_expr>)` - set of the type given as an argument
+* `map(<type_expr>)` - map of the type given as an argument
+* `tuple([<type_exprs...>])` - tuple with the element types given in the single list argument
+* `object({<attr_name>=<type_expr>, ...}` - object with the attributes and corresponding types given in the single map argument
+
+For example:
+
+* `list(string)`
+* `object({name=string,age=number})`
+* `map(object({name=string,age=number}))`
+
+Note that the object constructor syntax is not fully-general for all possible
+object types because it requires the attribute names to be valid identifiers.
+In practice it is expected that any time an object type is being fixed for
+type checking it will be one that has identifiers as its attributes; object
+types with weird attributes generally show up only from arbitrary object
+constructors in configuration files, which are usually treated either as maps
+or as the dynamic pseudo-type.
+
+## Type Constraints as Values
+
+Along with defining a convention for writing down types using HCL expression
+constructs, this package also includes a mechanism for representing types as
+values that can be used as data within an HCL-based language.
+
+`typeexpr.TypeConstraintType` is a
+[`cty` capsule type](https://github.com/zclconf/go-cty/blob/master/docs/types.md#capsule-types)
+that encapsulates `cty.Type` values. You can construct such a value directly
+using the `TypeConstraintVal` function:
+
+```go
+tyVal := typeexpr.TypeConstraintVal(cty.String)
+
+// We can unpack the type from a value using TypeConstraintFromVal
+ty := typeExpr.TypeConstraintFromVal(tyVal)
+```
+
+However, the primary purpose of `typeexpr.TypeConstraintType` is to be
+specified as the type constraint for an argument, in which case it serves
+as a signal for HCL to treat the argument expression as a type constraint
+expression as defined above, rather than as a normal value expression.
+
+"An argument" in the above in practice means the following two locations:
+
+* As the type constraint for a parameter of a cty function that will be
+  used in an `hcl.EvalContext`. In that case, function calls in the HCL
+  native expression syntax will require the argument to be valid type constraint
+  expression syntax and the function implementation will receive a
+  `TypeConstraintType` value as the argument value for that parameter.
+
+* As the type constraint for a `hcldec.AttrSpec` or `hcldec.BlockAttrsSpec`
+  when decoding an HCL body using `hcldec`. In that case, the attributes
+  with that type constraint will be required to be valid type constraint
+  expression syntax and the result will be a `TypeConstraintType` value.
+
+Note that the special handling of these arguments means that an argument
+marked in this way must use the type constraint syntax directly. It is not
+valid to pass in a value of `TypeConstraintType` that has been obtained
+dynamically via some other expression result.
+
+`TypeConstraintType` is provided with the intent of using it internally within
+application code when incorporating type constraint expression syntax into
+an HCL-based language, not to be used for dynamic "programming with types". A
+calling application could support programming with types by defining its _own_
+capsule type, but that is not the purpose of `TypeConstraintType`.
+
+## The "convert" `cty` Function
+
+Building on the `TypeConstraintType` described in the previous section, this
+package also provides `typeexpr.ConvertFunc` which is a cty function that
+can be placed into a `cty.EvalContext` (conventionally named "convert") in
+order to provide a general type conversion function in an HCL-based language:
+
+```hcl
+  foo = convert("true", bool)
+```
+
+The second parameter uses the mechanism described in the previous section to
+require its argument to be a type constraint expression rather than a value
+expression. In doing so, it allows converting with any type constraint that
+can be expressed in this package's type constraint syntax. In the above example,
+the `foo` argument would receive a boolean true, or `cty.True` in `cty` terms.
+
+The target type constraint must always be provided statically using inline
+type constraint syntax. There is no way to _dynamically_ select a type
+constraint using this function.

vendor/github.com/hashicorp/hcl/v2/ext/typeexpr/doc.go

@@ -0,0 +1,11 @@
+// Package typeexpr extends HCL with a convention for describing HCL types
+// within configuration files.
+//
+// The type syntax is processed statically from a hcl.Expression, so it cannot
+// use any of the usual language operators. This is similar to type expressions
+// in statically-typed programming languages.
+//
+//     variable "example" {
+//       type = list(string)
+//     }
+package typeexpr

vendor/github.com/hashicorp/hcl/v2/ext/typeexpr/get_type.go

@@ -0,0 +1,196 @@
+package typeexpr
+
+import (
+	"fmt"
+
+	"github.com/hashicorp/hcl/v2"
+	"github.com/zclconf/go-cty/cty"
+)
+
+const invalidTypeSummary = "Invalid type specification"
+
+// getType is the internal implementation of both Type and TypeConstraint,
+// using the passed flag to distinguish. When constraint is false, the "any"
+// keyword will produce an error.
+func getType(expr hcl.Expression, constraint bool) (cty.Type, hcl.Diagnostics) {
+	// First we'll try for one of our keywords
+	kw := hcl.ExprAsKeyword(expr)
+	switch kw {
+	case "bool":
+		return cty.Bool, nil
+	case "string":
+		return cty.String, nil
+	case "number":
+		return cty.Number, nil
+	case "any":
+		if constraint {
+			return cty.DynamicPseudoType, nil
+		}
+		return cty.DynamicPseudoType, hcl.Diagnostics{{
+			Severity: hcl.DiagError,
+			Summary:  invalidTypeSummary,
+			Detail:   fmt.Sprintf("The keyword %q cannot be used in this type specification: an exact type is required.", kw),
+			Subject:  expr.Range().Ptr(),
+		}}
+	case "list", "map", "set":
+		return cty.DynamicPseudoType, hcl.Diagnostics{{
+			Severity: hcl.DiagError,
+			Summary:  invalidTypeSummary,
+			Detail:   fmt.Sprintf("The %s type constructor requires one argument specifying the element type.", kw),
+			Subject:  expr.Range().Ptr(),
+		}}
+	case "object":
+		return cty.DynamicPseudoType, hcl.Diagnostics{{
+			Severity: hcl.DiagError,
+			Summary:  invalidTypeSummary,
+			Detail:   "The object type constructor requires one argument specifying the attribute types and values as a map.",
+			Subject:  expr.Range().Ptr(),
+		}}
+	case "tuple":
+		return cty.DynamicPseudoType, hcl.Diagnostics{{
+			Severity: hcl.DiagError,
+			Summary:  invalidTypeSummary,
+			Detail:   "The tuple type constructor requires one argument specifying the element types as a list.",
+			Subject:  expr.Range().Ptr(),
+		}}
+	case "":
+		// okay! we'll fall through and try processing as a call, then.
+	default:
+		return cty.DynamicPseudoType, hcl.Diagnostics{{
+			Severity: hcl.DiagError,
+			Summary:  invalidTypeSummary,
+			Detail:   fmt.Sprintf("The keyword %q is not a valid type specification.", kw),
+			Subject:  expr.Range().Ptr(),
+		}}
+	}
+
+	// If we get down here then our expression isn't just a keyword, so we'll
+	// try to process it as a call instead.
+	call, diags := hcl.ExprCall(expr)
+	if diags.HasErrors() {
+		return cty.DynamicPseudoType, hcl.Diagnostics{{
+			Severity: hcl.DiagError,
+			Summary:  invalidTypeSummary,
+			Detail:   "A type specification is either a primitive type keyword (bool, number, string) or a complex type constructor call, like list(string).",
+			Subject:  expr.Range().Ptr(),
+		}}
+	}
+
+	switch call.Name {
+	case "bool", "string", "number", "any":
+		return cty.DynamicPseudoType, hcl.Diagnostics{{
+			Severity: hcl.DiagError,
+			Summary:  invalidTypeSummary,
+			Detail:   fmt.Sprintf("Primitive type keyword %q does not expect arguments.", call.Name),
+			Subject:  &call.ArgsRange,
+		}}
+	}
+
+	if len(call.Arguments) != 1 {
+		contextRange := call.ArgsRange
+		subjectRange := call.ArgsRange
+		if len(call.Arguments) > 1 {
+			// If we have too many arguments (as opposed to too _few_) then
+			// we'll highlight the extraneous arguments as the diagnostic
+			// subject.
+			subjectRange = hcl.RangeBetween(call.Arguments[1].Range(), call.Arguments[len(call.Arguments)-1].Range())
+		}
+
+		switch call.Name {
+		case "list", "set", "map":
+			return cty.DynamicPseudoType, hcl.Diagnostics{{
+				Severity: hcl.DiagError,
+				Summary:  invalidTypeSummary,
+				Detail:   fmt.Sprintf("The %s type constructor requires one argument specifying the element type.", call.Name),
+				Subject:  &subjectRange,
+				Context:  &contextRange,
+			}}
+		case "object":
+			return cty.DynamicPseudoType, hcl.Diagnostics{{
+				Severity: hcl.DiagError,
+				Summary:  invalidTypeSummary,
+				Detail:   "The object type constructor requires one argument specifying the attribute types and values as a map.",
+				Subject:  &subjectRange,
+				Context:  &contextRange,
+			}}
+		case "tuple":
+			return cty.DynamicPseudoType, hcl.Diagnostics{{
+				Severity: hcl.DiagError,
+				Summary:  invalidTypeSummary,
+				Detail:   "The tuple type constructor requires one argument specifying the element types as a list.",
+				Subject:  &subjectRange,
+				Context:  &contextRange,
+			}}
+		}
+	}
+
+	switch call.Name {
+
+	case "list":
+		ety, diags := getType(call.Arguments[0], constraint)
+		return cty.List(ety), diags
+	case "set":
+		ety, diags := getType(call.Arguments[0], constraint)
+		return cty.Set(ety), diags
+	case "map":
+		ety, diags := getType(call.Arguments[0], constraint)
+		return cty.Map(ety), diags
+	case "object":
+		attrDefs, diags := hcl.ExprMap(call.Arguments[0])
+		if diags.HasErrors() {
+			return cty.DynamicPseudoType, hcl.Diagnostics{{
+				Severity: hcl.DiagError,
+				Summary:  invalidTypeSummary,
+				Detail:   "Object type constructor requires a map whose keys are attribute names and whose values are the corresponding attribute types.",
+				Subject:  call.Arguments[0].Range().Ptr(),
+				Context:  expr.Range().Ptr(),
+			}}
+		}
+
+		atys := make(map[string]cty.Type)
+		for _, attrDef := range attrDefs {
+			attrName := hcl.ExprAsKeyword(attrDef.Key)
+			if attrName == "" {
+				diags = append(diags, &hcl.Diagnostic{
+					Severity: hcl.DiagError,
+					Summary:  invalidTypeSummary,
+					Detail:   "Object constructor map keys must be attribute names.",
+					Subject:  attrDef.Key.Range().Ptr(),
+					Context:  expr.Range().Ptr(),
+				})
+				continue
+			}
+			aty, attrDiags := getType(attrDef.Value, constraint)
+			diags = append(diags, attrDiags...)
+			atys[attrName] = aty
+		}
+		return cty.Object(atys), diags
+	case "tuple":
+		elemDefs, diags := hcl.ExprList(call.Arguments[0])
+		if diags.HasErrors() {
+			return cty.DynamicPseudoType, hcl.Diagnostics{{
+				Severity: hcl.DiagError,
+				Summary:  invalidTypeSummary,
+				Detail:   "Tuple type constructor requires a list of element types.",
+				Subject:  call.Arguments[0].Range().Ptr(),
+				Context:  expr.Range().Ptr(),
+			}}
+		}
+		etys := make([]cty.Type, len(elemDefs))
+		for i, defExpr := range elemDefs {
+			ety, elemDiags := getType(defExpr, constraint)
+			diags = append(diags, elemDiags...)
+			etys[i] = ety
+		}
+		return cty.Tuple(etys), diags
+	default:
+		// Can't access call.Arguments in this path because we've not validated
+		// that it contains exactly one expression here.
+		return cty.DynamicPseudoType, hcl.Diagnostics{{
+			Severity: hcl.DiagError,
+			Summary:  invalidTypeSummary,
+			Detail:   fmt.Sprintf("Keyword %q is not a valid type constructor.", call.Name),
+			Subject:  expr.Range().Ptr(),
+		}}
+	}
+}

vendor/github.com/hashicorp/hcl/v2/ext/typeexpr/public.go

@@ -0,0 +1,129 @@
+package typeexpr
+
+import (
+	"bytes"
+	"fmt"
+	"sort"
+
+	"github.com/hashicorp/hcl/v2/hclsyntax"
+
+	"github.com/hashicorp/hcl/v2"
+	"github.com/zclconf/go-cty/cty"
+)
+
+// Type attempts to process the given expression as a type expression and, if
+// successful, returns the resulting type. If unsuccessful, error diagnostics
+// are returned.
+func Type(expr hcl.Expression) (cty.Type, hcl.Diagnostics) {
+	return getType(expr, false)
+}
+
+// TypeConstraint attempts to parse the given expression as a type constraint
+// and, if successful, returns the resulting type. If unsuccessful, error
+// diagnostics are returned.
+//
+// A type constraint has the same structure as a type, but it additionally
+// allows the keyword "any" to represent cty.DynamicPseudoType, which is often
+// used as a wildcard in type checking and type conversion operations.
+func TypeConstraint(expr hcl.Expression) (cty.Type, hcl.Diagnostics) {
+	return getType(expr, true)
+}
+
+// TypeString returns a string rendering of the given type as it would be
+// expected to appear in the HCL native syntax.
+//
+// This is primarily intended for showing types to the user in an application
+// that uses typexpr, where the user can be assumed to be familiar with the
+// type expression syntax. In applications that do not use typeexpr these
+// results may be confusing to the user and so type.FriendlyName may be
+// preferable, even though it's less precise.
+//
+// TypeString produces reasonable results only for types like what would be
+// produced by the Type and TypeConstraint functions. In particular, it cannot
+// support capsule types.
+func TypeString(ty cty.Type) string {
+	// Easy cases first
+	switch ty {
+	case cty.String:
+		return "string"
+	case cty.Bool:
+		return "bool"
+	case cty.Number:
+		return "number"
+	case cty.DynamicPseudoType:
+		return "any"
+	}
+
+	if ty.IsCapsuleType() {
+		panic("TypeString does not support capsule types")
+	}
+
+	if ty.IsCollectionType() {
+		ety := ty.ElementType()
+		etyString := TypeString(ety)
+		switch {
+		case ty.IsListType():
+			return fmt.Sprintf("list(%s)", etyString)
+		case ty.IsSetType():
+			return fmt.Sprintf("set(%s)", etyString)
+		case ty.IsMapType():
+			return fmt.Sprintf("map(%s)", etyString)
+		default:
+			// Should never happen because the above is exhaustive
+			panic("unsupported collection type")
+		}
+	}
+
+	if ty.IsObjectType() {
+		var buf bytes.Buffer
+		buf.WriteString("object({")
+		atys := ty.AttributeTypes()
+		names := make([]string, 0, len(atys))
+		for name := range atys {
+			names = append(names, name)
+		}
+		sort.Strings(names)
+		first := true
+		for _, name := range names {
+			aty := atys[name]
+			if !first {
+				buf.WriteByte(',')
+			}
+			if !hclsyntax.ValidIdentifier(name) {
+				// Should never happen for any type produced by this package,
+				// but we'll do something reasonable here just so we don't
+				// produce garbage if someone gives us a hand-assembled object
+				// type that has weird attribute names.
+				// Using Go-style quoting here isn't perfect, since it doesn't
+				// exactly match HCL syntax, but it's fine for an edge-case.
+				buf.WriteString(fmt.Sprintf("%q", name))
+			} else {
+				buf.WriteString(name)
+			}
+			buf.WriteByte('=')
+			buf.WriteString(TypeString(aty))
+			first = false
+		}
+		buf.WriteString("})")
+		return buf.String()
+	}
+
+	if ty.IsTupleType() {
+		var buf bytes.Buffer
+		buf.WriteString("tuple([")
+		etys := ty.TupleElementTypes()
+		first := true
+		for _, ety := range etys {
+			if !first {
+				buf.WriteByte(',')
+			}
+			buf.WriteString(TypeString(ety))
+			first = false
+		}
+		buf.WriteString("])")
+		return buf.String()
+	}
+
+	// Should never happen because we covered all cases above.
+	panic(fmt.Errorf("unsupported type %#v", ty))
+}

vendor/github.com/hashicorp/hcl/v2/ext/typeexpr/type_type.go

@@ -0,0 +1,118 @@
+package typeexpr
+
+import (
+	"fmt"
+	"reflect"
+
+	"github.com/hashicorp/hcl/v2"
+	"github.com/hashicorp/hcl/v2/ext/customdecode"
+	"github.com/zclconf/go-cty/cty"
+	"github.com/zclconf/go-cty/cty/convert"
+	"github.com/zclconf/go-cty/cty/function"
+)
+
+// TypeConstraintType is a cty capsule type that allows cty type constraints to
+// be used as values.
+//
+// If TypeConstraintType is used in a context supporting the
+// customdecode.CustomExpressionDecoder extension then it will implement
+// expression decoding using the TypeConstraint function, thus allowing
+// type expressions to be used in contexts where value expressions might
+// normally be expected, such as in arguments to function calls.
+var TypeConstraintType cty.Type
+
+// TypeConstraintVal constructs a cty.Value whose type is
+// TypeConstraintType.
+func TypeConstraintVal(ty cty.Type) cty.Value {
+	return cty.CapsuleVal(TypeConstraintType, &ty)
+}
+
+// TypeConstraintFromVal extracts the type from a cty.Value of
+// TypeConstraintType that was previously constructed using TypeConstraintVal.
+//
+// If the given value isn't a known, non-null value of TypeConstraintType
+// then this function will panic.
+func TypeConstraintFromVal(v cty.Value) cty.Type {
+	if !v.Type().Equals(TypeConstraintType) {
+		panic("value is not of TypeConstraintType")
+	}
+	ptr := v.EncapsulatedValue().(*cty.Type)
+	return *ptr
+}
+
+// ConvertFunc is a cty function that implements type conversions.
+//
+// Its signature is as follows:
+//     convert(value, type_constraint)
+//
+// ...where type_constraint is a type constraint expression as defined by
+// typeexpr.TypeConstraint.
+//
+// It relies on HCL's customdecode extension and so it's not suitable for use
+// in non-HCL contexts or if you are using a HCL syntax implementation that
+// does not support customdecode for function arguments. However, it _is_
+// supported for function calls in the HCL native expression syntax.
+var ConvertFunc function.Function
+
+func init() {
+	TypeConstraintType = cty.CapsuleWithOps("type constraint", reflect.TypeOf(cty.Type{}), &cty.CapsuleOps{
+		ExtensionData: func(key interface{}) interface{} {
+			switch key {
+			case customdecode.CustomExpressionDecoder:
+				return customdecode.CustomExpressionDecoderFunc(
+					func(expr hcl.Expression, ctx *hcl.EvalContext) (cty.Value, hcl.Diagnostics) {
+						ty, diags := TypeConstraint(expr)
+						if diags.HasErrors() {
+							return cty.NilVal, diags
+						}
+						return TypeConstraintVal(ty), nil
+					},
+				)
+			default:
+				return nil
+			}
+		},
+		TypeGoString: func(_ reflect.Type) string {
+			return "typeexpr.TypeConstraintType"
+		},
+		GoString: func(raw interface{}) string {
+			tyPtr := raw.(*cty.Type)
+			return fmt.Sprintf("typeexpr.TypeConstraintVal(%#v)", *tyPtr)
+		},
+		RawEquals: func(a, b interface{}) bool {
+			aPtr := a.(*cty.Type)
+			bPtr := b.(*cty.Type)
+			return (*aPtr).Equals(*bPtr)
+		},
+	})
+
+	ConvertFunc = function.New(&function.Spec{
+		Params: []function.Parameter{
+			{
+				Name:             "value",
+				Type:             cty.DynamicPseudoType,
+				AllowNull:        true,
+				AllowDynamicType: true,
+			},
+			{
+				Name: "type",
+				Type: TypeConstraintType,
+			},
+		},
+		Type: func(args []cty.Value) (cty.Type, error) {
+			wantTypePtr := args[1].EncapsulatedValue().(*cty.Type)
+			got, err := convert.Convert(args[0], *wantTypePtr)
+			if err != nil {
+				return cty.NilType, function.NewArgError(0, err)
+			}
+			return got.Type(), nil
+		},
+		Impl: func(args []cty.Value, retType cty.Type) (cty.Value, error) {
+			v, err := convert.Convert(args[0], retType)
+			if err != nil {
+				return cty.NilVal, function.NewArgError(0, err)
+			}
+			return v, nil
+		},
+	})
+}

vendor/github.com/hashicorp/hcl/v2/ext/userfunc/README.md

@@ -25,4 +25,4 @@ inclusion in a `hcl.EvalContext`. It also returns a new `cty.Body` that
 contains the remainder of the content from the given body, allowing for
 further processing of remaining content.
 
-For more information, see [the godoc reference](http://godoc.org/github.com/hashicorp/hcl/v2/ext/userfunc).
+For more information, see [the godoc reference](https://pkg.go.dev/github.com/hashicorp/hcl/v2/ext/userfunc?tab=doc).

vendor/github.com/hashicorp/hcl/v2/gohcl/decode.go

@@ -65,6 +65,19 @@ func decodeBodyToStruct(body hcl.Body, ctx *hcl.EvalContext, val reflect.Value)
 
 	tags := getFieldTags(val.Type())
 
+	if tags.Body != nil {
+		fieldIdx := *tags.Body
+		field := val.Type().Field(fieldIdx)
+		fieldV := val.Field(fieldIdx)
+		switch {
+		case bodyType.AssignableTo(field.Type):
+			fieldV.Set(reflect.ValueOf(body))
+
+		default:
+			diags = append(diags, decodeBodyToValue(body, ctx, fieldV)...)
+		}
+	}
+
 	if tags.Remain != nil {
 		fieldIdx := *tags.Remain
 		field := val.Type().Field(fieldIdx)
@@ -185,6 +198,9 @@ func decodeBodyToStruct(body hcl.Body, ctx *hcl.EvalContext, val reflect.Value)
 					diags = append(diags, decodeBlockToValue(block, ctx, v.Elem())...)
 					sli.Index(i).Set(v)
 				} else {
+					if i >= sli.Len() {
+						sli = reflect.Append(sli, reflect.Indirect(reflect.New(ty)))
+					}
 					diags = append(diags, decodeBlockToValue(block, ctx, sli.Index(i))...)
 				}
 			}

vendor/github.com/hashicorp/hcl/v2/gohcl/doc.go

@@ -30,6 +30,13 @@
 // in which case multiple blocks of the corresponding type are decoded into
 // the slice.
 //
+// "body" can be placed on a single field of type hcl.Body to capture
+// the full hcl.Body that was decoded for a block. This does not allow leftover
+// values like "remain", so a decoding error will still be returned if leftover
+// fields are given. If you want to capture the decoding body PLUS leftover
+// fields, you must specify a "remain" field as well to prevent errors. The
+// body field and the remain field will both contain the leftover fields.
+//
 // "label" fields are considered only in a struct used as the type of a field
 // marked as "block", and are used sequentially to capture the labels of
 // the blocks being decoded. In this case, the name token is used only as

vendor/github.com/hashicorp/hcl/v2/gohcl/schema.go

@@ -113,6 +113,7 @@ type fieldTags struct {
 	Blocks     map[string]int
 	Labels     []labelField
 	Remain     *int
+	Body       *int
 	Optional   map[string]bool
 }
 
@@ -162,6 +163,12 @@ func getFieldTags(ty reflect.Type) *fieldTags {
 			}
 			idx := i // copy, because this loop will continue assigning to i
 			ret.Remain = &idx
+		case "body":
+			if ret.Body != nil {
+				panic("only one 'body' tag is permitted")
+			}
+			idx := i // copy, because this loop will continue assigning to i
+			ret.Body = &idx
 		case "optional":
 			ret.Attributes[name] = i
 			ret.Optional[name] = true

vendor/github.com/hashicorp/hcl/v2/hclsyntax/expression.go

@@ -27,6 +27,32 @@ type Expression interface {
 // Assert that Expression implements hcl.Expression
 var assertExprImplExpr hcl.Expression = Expression(nil)
 
+// ParenthesesExpr represents an expression written in grouping
+// parentheses.
+//
+// The parser takes care of the precedence effect of the parentheses, so the
+// only purpose of this separate expression node is to capture the source range
+// of the parentheses themselves, rather than the source range of the
+// expression within. All of the other expression operations just pass through
+// to the underlying expression.
+type ParenthesesExpr struct {
+	Expression
+	SrcRange hcl.Range
+}
+
+var _ hcl.Expression = (*ParenthesesExpr)(nil)
+
+func (e *ParenthesesExpr) Range() hcl.Range {
+	return e.SrcRange
+}
+
+func (e *ParenthesesExpr) walkChildNodes(w internalWalkFunc) {
+	// We override the walkChildNodes from the embedded Expression to
+	// ensure that both the parentheses _and_ the content are visible
+	// in a walk.
+	w(e.Expression)
+}
+
 // LiteralValueExpr is an expression that just always returns a given value.
 type LiteralValueExpr struct {
 	Val      cty.Value
@@ -291,13 +317,17 @@ func (e *FunctionCallExpr) Value(ctx *hcl.EvalContext) (cty.Value, hcl.Diagnosti
 				return cty.DynamicVal, diags
 			}
 
+			// When expanding arguments from a collection, we must first unmark
+			// the collection itself, and apply any marks directly to the
+			// elements. This ensures that marks propagate correctly.
+			expandVal, marks := expandVal.Unmark()
 			newArgs := make([]Expression, 0, (len(args)-1)+expandVal.LengthInt())
 			newArgs = append(newArgs, args[:len(args)-1]...)
 			it := expandVal.ElementIterator()
 			for it.Next() {
 				_, val := it.Element()
 				newArgs = append(newArgs, &LiteralValueExpr{
-					Val:      val,
+					Val:      val.WithMarks(marks),
 					SrcRange: expandExpr.Range(),
 				})
 			}
@@ -598,6 +628,8 @@ func (e *ConditionalExpr) Value(ctx *hcl.EvalContext) (cty.Value, hcl.Diagnostic
 		return cty.UnknownVal(resultType), diags
 	}
 
+	// Unmark result before testing for truthiness
+	condResult, _ = condResult.UnmarkDeep()
 	if condResult.True() {
 		diags = append(diags, trueDiags...)
 		if convs[0] != nil {
@@ -793,6 +825,19 @@ func (e *ObjectConsExpr) Value(ctx *hcl.EvalContext) (cty.Value, hcl.Diagnostics
 			continue
 		}
 
+		if key.IsMarked() {
+			diags = append(diags, &hcl.Diagnostic{
+				Severity:    hcl.DiagError,
+				Summary:     "Marked value as key",
+				Detail:      "Can't use a marked value as a key.",
+				Subject:     item.ValueExpr.Range().Ptr(),
+				Expression:  item.KeyExpr,
+				EvalContext: ctx,
+			})
+			known = false
+			continue
+		}
+
 		var err error
 		key, err = convert.Convert(key, cty.String)
 		if err != nil {
@@ -971,6 +1016,9 @@ func (e *ForExpr) Value(ctx *hcl.EvalContext) (cty.Value, hcl.Diagnostics) {
 	if collVal.Type() == cty.DynamicPseudoType {
 		return cty.DynamicVal, diags
 	}
+	// Unmark collection before checking for iterability, because marked
+	// values cannot be iterated
+	collVal, marks := collVal.Unmark()
 	if !collVal.CanIterateElements() {
 		diags = append(diags, &hcl.Diagnostic{
 			Severity: hcl.DiagError,
@@ -1140,6 +1188,19 @@ func (e *ForExpr) Value(ctx *hcl.EvalContext) (cty.Value, hcl.Diagnostics) {
 				continue
 			}
 
+			if key.IsMarked() {
+				diags = append(diags, &hcl.Diagnostic{
+					Severity:    hcl.DiagError,
+					Summary:     "Invalid object key",
+					Detail:      "Marked values cannot be used as object keys.",
+					Subject:     e.KeyExpr.Range().Ptr(),
+					Context:     &e.SrcRange,
+					Expression:  e.KeyExpr,
+					EvalContext: childCtx,
+				})
+				continue
+			}
+
 			val, valDiags := e.ValExpr.Value(childCtx)
 			diags = append(diags, valDiags...)
 
@@ -1178,7 +1239,7 @@ func (e *ForExpr) Value(ctx *hcl.EvalContext) (cty.Value, hcl.Diagnostics) {
 			}
 		}
 
-		return cty.ObjectVal(vals), diags
+		return cty.ObjectVal(vals).WithMarks(marks), diags
 
 	} else {
 		// Producing a tuple
@@ -1254,7 +1315,7 @@ func (e *ForExpr) Value(ctx *hcl.EvalContext) (cty.Value, hcl.Diagnostics) {
 			return cty.DynamicVal, diags
 		}
 
-		return cty.TupleVal(vals), diags
+		return cty.TupleVal(vals).WithMarks(marks), diags
 	}
 }
 
@@ -1317,12 +1378,6 @@ func (e *SplatExpr) Value(ctx *hcl.EvalContext) (cty.Value, hcl.Diagnostics) {
 	}
 
 	sourceTy := sourceVal.Type()
-	if sourceTy == cty.DynamicPseudoType {
-		// If we don't even know the _type_ of our source value yet then
-		// we'll need to defer all processing, since we can't decide our
-		// result type either.
-		return cty.DynamicVal, diags
-	}
 
 	// A "special power" of splat expressions is that they can be applied
 	// both to tuples/lists and to other values, and in the latter case
@@ -1346,6 +1401,13 @@ func (e *SplatExpr) Value(ctx *hcl.EvalContext) (cty.Value, hcl.Diagnostics) {
 		return cty.DynamicVal, diags
 	}
 
+	if sourceTy == cty.DynamicPseudoType {
+		// If we don't even know the _type_ of our source value yet then
+		// we'll need to defer all processing, since we can't decide our
+		// result type either.
+		return cty.DynamicVal, diags
+	}
+
 	if autoUpgrade {
 		sourceVal = cty.TupleVal([]cty.Value{sourceVal})
 		sourceTy = sourceVal.Type()

vendor/github.com/hashicorp/hcl/v2/hclsyntax/expression_template.go

@@ -26,6 +26,9 @@ func (e *TemplateExpr) Value(ctx *hcl.EvalContext) (cty.Value, hcl.Diagnostics)
 	var diags hcl.Diagnostics
 	isKnown := true
 
+	// Maintain a set of marks for values used in the template
+	marks := make(cty.ValueMarks)
+
 	for _, part := range e.Parts {
 		partVal, partDiags := part.Value(ctx)
 		diags = append(diags, partDiags...)
@@ -71,14 +74,24 @@ func (e *TemplateExpr) Value(ctx *hcl.EvalContext) (cty.Value, hcl.Diagnostics)
 			continue
 		}
 
-		buf.WriteString(strVal.AsString())
+		// Unmark the part and merge its marks into the set
+		unmarked, partMarks := strVal.Unmark()
+		for k, v := range partMarks {
+			marks[k] = v
+		}
+
+		buf.WriteString(unmarked.AsString())
 	}
 
+	var ret cty.Value
 	if !isKnown {
-		return cty.UnknownVal(cty.String), diags
+		ret = cty.UnknownVal(cty.String)
+	} else {
+		ret = cty.StringVal(buf.String())
 	}
 
-	return cty.StringVal(buf.String()), diags
+	// Apply the full set of marks to the returned value
+	return ret.WithMarks(marks), diags
 }
 
 func (e *TemplateExpr) Range() hcl.Range {

vendor/github.com/hashicorp/hcl/v2/hclsyntax/parser.go

@@ -911,7 +911,7 @@ func (p *parser) parseExpressionTerm() (Expression, hcl.Diagnostics) {
 
 	switch start.Type {
 	case TokenOParen:
-		p.Read() // eat open paren
+		oParen := p.Read() // eat open paren
 
 		p.PushIncludeNewlines(false)
 
@@ -937,9 +937,19 @@ func (p *parser) parseExpressionTerm() (Expression, hcl.Diagnostics) {
 			p.setRecovery()
 		}
 
-		p.Read() // eat closing paren
+		cParen := p.Read() // eat closing paren
 		p.PopIncludeNewlines()
 
+		// Our parser's already taken care of the precedence effect of the
+		// parentheses by considering them to be a kind of "term", but we
+		// still need to include the parentheses in our AST so we can give
+		// an accurate representation of the source range that includes the
+		// open and closing parentheses.
+		expr = &ParenthesesExpr{
+			Expression: expr,
+			SrcRange:   hcl.RangeBetween(oParen.Range, cParen.Range),
+		}
+
 		return expr, diags
 
 	case TokenNumberLit:

vendor/github.com/hashicorp/hcl/v2/hclsyntax/token.go

@@ -202,7 +202,7 @@ func checkInvalidTokens(tokens Tokens) hcl.Diagnostics {
 				case TokenBitwiseAnd:
 					suggestion = " Did you mean boolean AND (\"&&\")?"
 				case TokenBitwiseOr:
-					suggestion = " Did you mean boolean OR (\"&&\")?"
+					suggestion = " Did you mean boolean OR (\"||\")?"
 				case TokenBitwiseNot:
 					suggestion = " Did you mean boolean NOT (\"!\")?"
 				}
@@ -294,12 +294,23 @@ func checkInvalidTokens(tokens Tokens) hcl.Diagnostics {
 				Subject:  &tok.Range,
 			})
 		case TokenInvalid:
-			diags = append(diags, &hcl.Diagnostic{
-				Severity: hcl.DiagError,
-				Summary:  "Invalid character",
-				Detail:   "This character is not used within the language.",
-				Subject:  &tok.Range,
-			})
+			chars := string(tok.Bytes)
+			switch chars {
+			case "“", "”":
+				diags = append(diags, &hcl.Diagnostic{
+					Severity: hcl.DiagError,
+					Summary:  "Invalid character",
+					Detail:   "\"Curly quotes\" are not valid here. These can sometimes be inadvertently introduced when sharing code via documents or discussion forums. It might help to replace the character with a \"straight quote\".",
+					Subject:  &tok.Range,
+				})
+			default:
+				diags = append(diags, &hcl.Diagnostic{
+					Severity: hcl.DiagError,
+					Summary:  "Invalid character",
+					Detail:   "This character is not used within the language.",
+					Subject:  &tok.Range,
+				})
+			}
 		}
 	}
 	return diags

vendor/github.com/hashicorp/hcl/v2/hclwrite/ast_block.go

@@ -10,7 +10,7 @@ type Block struct {
 
 	leadComments *node
 	typeName     *node
-	labels       nodeSet
+	labels       *node
 	open         *node
 	body         *node
 	close        *node
@@ -19,7 +19,6 @@ type Block struct {
 func newBlock() *Block {
 	return &Block{
 		inTree: newInTree(),
-		labels: newNodeSet(),
 	}
 }
 
@@ -35,12 +34,8 @@ func (b *Block) init(typeName string, labels []string) {
 	nameObj := newIdentifier(nameTok)
 	b.leadComments = b.children.Append(newComments(nil))
 	b.typeName = b.children.Append(nameObj)
-	for _, label := range labels {
-		labelToks := TokensForValue(cty.StringVal(label))
-		labelObj := newQuoted(labelToks)
-		labelNode := b.children.Append(labelObj)
-		b.labels.Add(labelNode)
-	}
+	labelsObj := newBlockLabels(labels)
+	b.labels = b.children.Append(labelsObj)
 	b.open = b.children.AppendUnstructuredTokens(Tokens{
 		{
 			Type:  hclsyntax.TokenOBrace,
@@ -79,10 +74,68 @@ func (b *Block) Type() string {
 	return string(typeNameObj.token.Bytes)
 }
 
+// SetType updates the type name of the block to a given name.
+func (b *Block) SetType(typeName string) {
+	nameTok := newIdentToken(typeName)
+	nameObj := newIdentifier(nameTok)
+	b.typeName.ReplaceWith(nameObj)
+}
+
 // Labels returns the labels of the block.
 func (b *Block) Labels() []string {
-	labelNames := make([]string, 0, len(b.labels))
-	list := b.labels.List()
+	return b.labelsObj().Current()
+}
+
+// SetLabels updates the labels of the block to given labels.
+// Since we cannot assume that old and new labels are equal in length,
+// remove old labels and insert new ones before TokenOBrace.
+func (b *Block) SetLabels(labels []string) {
+	b.labelsObj().Replace(labels)
+}
+
+// labelsObj returns the internal node content representation of the block
+// labels. This is not part of the public API because we're intentionally
+// exposing only a limited API to get/set labels on the block itself in a
+// manner similar to the main hcl.Block type, but our block accessors all
+// use this to get the underlying node content to work with.
+func (b *Block) labelsObj() *blockLabels {
+	return b.labels.content.(*blockLabels)
+}
+
+type blockLabels struct {
+	inTree
+
+	items nodeSet
+}
+
+func newBlockLabels(labels []string) *blockLabels {
+	ret := &blockLabels{
+		inTree: newInTree(),
+		items:  newNodeSet(),
+	}
+
+	ret.Replace(labels)
+	return ret
+}
+
+func (bl *blockLabels) Replace(newLabels []string) {
+	bl.inTree.children.Clear()
+	bl.items.Clear()
+
+	for _, label := range newLabels {
+		labelToks := TokensForValue(cty.StringVal(label))
+		// Force a new label to use the quoted form, which is the idiomatic
+		// form. The unquoted form is supported in HCL 2 only for compatibility
+		// with historical use in HCL 1.
+		labelObj := newQuoted(labelToks)
+		labelNode := bl.children.Append(labelObj)
+		bl.items.Add(labelNode)
+	}
+}
+
+func (bl *blockLabels) Current() []string {
+	labelNames := make([]string, 0, len(bl.items))
+	list := bl.items.List()
 
 	for _, label := range list {
 		switch labelObj := label.content.(type) {
@@ -106,6 +159,12 @@ func (b *Block) Labels() []string {
 				if !diags.HasErrors() {
 					labelNames = append(labelNames, labelString)
 				}
+			} else if len(tokens) == 2 &&
+				tokens[0].Type == hclsyntax.TokenOQuote &&
+				tokens[1].Type == hclsyntax.TokenCQuote {
+				// An open quote followed immediately by a closing quote is a
+				// valid but unusual blank string label.
+				labelNames = append(labelNames, "")
 			}
 
 		default:

vendor/github.com/hashicorp/hcl/v2/hclwrite/format.go

@@ -263,6 +263,10 @@ func spaceAfterToken(subject, before, after *Token) bool {
 	case after.Type == hclsyntax.TokenOBrack && (subject.Type == hclsyntax.TokenIdent || subject.Type == hclsyntax.TokenNumberLit || tokenBracketChange(subject) < 0):
 		return false
 
+	case subject.Type == hclsyntax.TokenBang:
+		// No space after a bang
+		return false
+
 	case subject.Type == hclsyntax.TokenMinus:
 		// Since a minus can either be subtraction or negation, and the latter
 		// should _not_ have a space after it, we need to use some heuristics

vendor/github.com/hashicorp/hcl/v2/hclwrite/node.go

@@ -130,6 +130,36 @@ func (ns *nodes) AppendNode(n *node) {
 	}
 }
 
+// Insert inserts a nodeContent at a given position.
+// This is just a wrapper for InsertNode. See InsertNode for details.
+func (ns *nodes) Insert(pos *node, c nodeContent) *node {
+	n := &node{
+		content: c,
+	}
+	ns.InsertNode(pos, n)
+	n.list = ns
+	return n
+}
+
+// InsertNode inserts a node at a given position.
+// The first argument is a node reference before which to insert.
+// To insert it to an empty list, set position to nil.
+func (ns *nodes) InsertNode(pos *node, n *node) {
+	if pos == nil {
+		// inserts n to empty list.
+		ns.first = n
+		ns.last = n
+	} else {
+		// inserts n before pos.
+		pos.before.after = n
+		n.before = pos.before
+		pos.before = n
+		n.after = pos
+	}
+
+	n.list = ns
+}
+
 func (ns *nodes) AppendUnstructuredTokens(tokens Tokens) *node {
 	if len(tokens) == 0 {
 		return nil
@@ -177,6 +207,12 @@ func (ns nodeSet) Remove(n *node) {
 	delete(ns, n)
 }
 
+func (ns nodeSet) Clear() {
+	for n := range ns {
+		delete(ns, n)
+	}
+}
+
 func (ns nodeSet) List() []*node {
 	if len(ns) == 0 {
 		return nil

vendor/github.com/hashicorp/hcl/v2/hclwrite/parser.go

@@ -289,7 +289,6 @@ func parseAttribute(nativeAttr *hclsyntax.Attribute, from, leadComments, lineCom
 func parseBlock(nativeBlock *hclsyntax.Block, from, leadComments, lineComments, newline inputTokens) *node {
 	block := &Block{
 		inTree: newInTree(),
-		labels: newNodeSet(),
 	}
 	children := block.inTree.children
 
@@ -312,24 +311,13 @@ func parseBlock(nativeBlock *hclsyntax.Block, from, leadComments, lineComments,
 		children.AppendNode(in)
 	}
 
-	for _, rng := range nativeBlock.LabelRanges {
-		var labelTokens inputTokens
-		before, labelTokens, from = from.Partition(rng)
-		children.AppendUnstructuredTokens(before.Tokens())
-		tokens := labelTokens.Tokens()
-		var ln *node
-		if len(tokens) == 1 && tokens[0].Type == hclsyntax.TokenIdent {
-			ln = newNode(newIdentifier(tokens[0]))
-		} else {
-			ln = newNode(newQuoted(tokens))
-		}
-		block.labels.Add(ln)
-		children.AppendNode(ln)
-	}
+	before, labelsNode, from := parseBlockLabels(nativeBlock, from)
+	block.labels = labelsNode
+	children.AppendNode(labelsNode)
 
 	before, oBrace, from := from.Partition(nativeBlock.OpenBraceRange)
 	children.AppendUnstructuredTokens(before.Tokens())
-	children.AppendUnstructuredTokens(oBrace.Tokens())
+	block.open = children.AppendUnstructuredTokens(oBrace.Tokens())
 
 	// We go a bit out of order here: we go hunting for the closing brace
 	// so that we have a delimited body, but then we'll deal with the body
@@ -342,7 +330,7 @@ func parseBlock(nativeBlock *hclsyntax.Block, from, leadComments, lineComments,
 	children.AppendNode(body)
 	children.AppendUnstructuredTokens(after.Tokens())
 
-	children.AppendUnstructuredTokens(cBrace.Tokens())
+	block.close = children.AppendUnstructuredTokens(cBrace.Tokens())
 
 	// stragglers
 	children.AppendUnstructuredTokens(from.Tokens())
@@ -356,6 +344,34 @@ func parseBlock(nativeBlock *hclsyntax.Block, from, leadComments, lineComments,
 	return newNode(block)
 }
 
+func parseBlockLabels(nativeBlock *hclsyntax.Block, from inputTokens) (inputTokens, *node, inputTokens) {
+	labelsObj := newBlockLabels(nil)
+	children := labelsObj.children
+
+	var beforeAll inputTokens
+	for i, rng := range nativeBlock.LabelRanges {
+		var before, labelTokens inputTokens
+		before, labelTokens, from = from.Partition(rng)
+		if i == 0 {
+			beforeAll = before
+		} else {
+			children.AppendUnstructuredTokens(before.Tokens())
+		}
+		tokens := labelTokens.Tokens()
+		var ln *node
+		if len(tokens) == 1 && tokens[0].Type == hclsyntax.TokenIdent {
+			ln = newNode(newIdentifier(tokens[0]))
+		} else {
+			ln = newNode(newQuoted(tokens))
+		}
+		labelsObj.items.Add(ln)
+		children.AppendNode(ln)
+	}
+
+	after := from
+	return beforeAll, newNode(labelsObj), after
+}
+
 func parseExpression(nativeExpr hclsyntax.Expression, from inputTokens) *node {
 	expr := newExpression()
 	children := expr.inTree.children

vendor/github.com/hashicorp/hcl/v2/json/parser.go

@@ -8,15 +8,23 @@ import (
 	"github.com/zclconf/go-cty/cty"
 )
 
-func parseFileContent(buf []byte, filename string) (node, hcl.Diagnostics) {
-	tokens := scan(buf, pos{
-		Filename: filename,
-		Pos: hcl.Pos{
-			Byte:   0,
-			Line:   1,
-			Column: 1,
-		},
-	})
+func parseFileContent(buf []byte, filename string, start hcl.Pos) (node, hcl.Diagnostics) {
+	tokens := scan(buf, pos{Filename: filename, Pos: start})
+	p := newPeeker(tokens)
+	node, diags := parseValue(p)
+	if len(diags) == 0 && p.Peek().Type != tokenEOF {
+		diags = diags.Append(&hcl.Diagnostic{
+			Severity: hcl.DiagError,
+			Summary:  "Extraneous data after value",
+			Detail:   "Extra characters appear after the JSON value.",
+			Subject:  p.Peek().Range.Ptr(),
+		})
+	}
+	return node, diags
+}
+
+func parseExpression(buf []byte, filename string, start hcl.Pos) (node, hcl.Diagnostics) {
+	tokens := scan(buf, pos{Filename: filename, Pos: start})
 	p := newPeeker(tokens)
 	node, diags := parseValue(p)
 	if len(diags) == 0 && p.Peek().Type != tokenEOF {

vendor/github.com/hashicorp/hcl/v2/json/public.go

@@ -18,7 +18,16 @@ import (
 // from its HasErrors method. If HasErrors returns true, the file represents
 // the subset of data that was able to be parsed, which may be none.
 func Parse(src []byte, filename string) (*hcl.File, hcl.Diagnostics) {
-	rootNode, diags := parseFileContent(src, filename)
+	return ParseWithStartPos(src, filename, hcl.Pos{Byte: 0, Line: 1, Column: 1})
+}
+
+// ParseWithStartPos attempts to parse like json.Parse, but unlike json.Parse
+// you can pass a start position of the given JSON as a hcl.Pos.
+//
+// In most cases json.Parse should be sufficient, but it can be useful for parsing
+// a part of JSON with correct positions.
+func ParseWithStartPos(src []byte, filename string, start hcl.Pos) (*hcl.File, hcl.Diagnostics) {
+	rootNode, diags := parseFileContent(src, filename, start)
 
 	switch rootNode.(type) {
 	case *objectVal, *arrayVal:
@@ -62,6 +71,20 @@ func Parse(src []byte, filename string) (*hcl.File, hcl.Diagnostics) {
 	return file, diags
 }
 
+// ParseExpression parses the given buffer as a standalone JSON expression,
+// returning it as an instance of Expression.
+func ParseExpression(src []byte, filename string) (hcl.Expression, hcl.Diagnostics) {
+	return ParseExpressionWithStartPos(src, filename, hcl.Pos{Byte: 0, Line: 1, Column: 1})
+}
+
+// ParseExpressionWithStartPos parses like json.ParseExpression, but unlike
+// json.ParseExpression you can pass a start position of the given JSON
+// expression as a hcl.Pos.
+func ParseExpressionWithStartPos(src []byte, filename string, start hcl.Pos) (hcl.Expression, hcl.Diagnostics) {
+	node, diags := parseExpression(src, filename, start)
+	return &expression{src: node}, diags
+}
+
 // ParseFile is a convenience wrapper around Parse that first attempts to load
 // data from the given filename, passing the result to Parse if successful.
 //

vendor/github.com/hashicorp/hcl/v2/ops.go

@@ -76,7 +76,10 @@ func Index(collection, key cty.Value, srcRange *Range) (cty.Value, Diagnostics)
 			}
 		}
 
-		has := collection.HasIndex(key)
+		// Here we drop marks from HasIndex result, in order to allow basic
+		// traversal of a marked list, tuple, or map in the same way we can
+		// traverse a marked object
+		has, _ := collection.HasIndex(key).Unmark()
 		if !has.IsKnown() {
 			if ty.IsTupleType() {
 				return cty.DynamicVal, nil
@@ -217,7 +220,12 @@ func GetAttr(obj cty.Value, attrName string, srcRange *Range) (cty.Value, Diagno
 		}
 
 		idx := cty.StringVal(attrName)
-		if obj.HasIndex(idx).False() {
+
+		// Here we drop marks from HasIndex result, in order to allow basic
+		// traversal of a marked map in the same way we can traverse a marked
+		// object
+		hasIndex, _ := obj.HasIndex(idx).Unmark()
+		if hasIndex.False() {
 			return cty.DynamicVal, Diagnostics{
 				{
 					Severity: DiagError,

vendor/github.com/zclconf/go-cty/cty/convert/conversion_collection.go

@@ -13,6 +13,14 @@ import (
 // if we're converting from a set into a list of the same element type.)
 func conversionCollectionToList(ety cty.Type, conv conversion) conversion {
 	return func(val cty.Value, path cty.Path) (cty.Value, error) {
+		if !val.Length().IsKnown() {
+			// If the input collection has an unknown length (which is true
+			// for a set containing unknown values) then our result must be
+			// an unknown list, because we can't predict how many elements
+			// the resulting list should have.
+			return cty.UnknownVal(cty.List(val.Type().ElementType())), nil
+		}
+
 		elems := make([]cty.Value, 0, val.LengthInt())
 		i := int64(0)
 		elemPath := append(path.Copy(), nil)
@@ -156,34 +164,45 @@ func conversionCollectionToMap(ety cty.Type, conv conversion) conversion {
 // given tuple type and return a set of the given element type.
 //
 // Will panic if the given tupleType isn't actually a tuple type.
-func conversionTupleToSet(tupleType cty.Type, listEty cty.Type, unsafe bool) conversion {
+func conversionTupleToSet(tupleType cty.Type, setEty cty.Type, unsafe bool) conversion {
 	tupleEtys := tupleType.TupleElementTypes()
 
 	if len(tupleEtys) == 0 {
 		// Empty tuple short-circuit
 		return func(val cty.Value, path cty.Path) (cty.Value, error) {
-			return cty.SetValEmpty(listEty), nil
+			return cty.SetValEmpty(setEty), nil
 		}
 	}
 
-	if listEty == cty.DynamicPseudoType {
+	if setEty == cty.DynamicPseudoType {
 		// This is a special case where the caller wants us to find
 		// a suitable single type that all elements can convert to, if
 		// possible.
-		listEty, _ = unify(tupleEtys, unsafe)
-		if listEty == cty.NilType {
+		setEty, _ = unify(tupleEtys, unsafe)
+		if setEty == cty.NilType {
 			return nil
 		}
+
+		// If the set element type after unification is still the dynamic
+		// type, the only way this can result in a valid set is if all values
+		// are of dynamic type
+		if setEty == cty.DynamicPseudoType {
+			for _, tupleEty := range tupleEtys {
+				if !tupleEty.Equals(cty.DynamicPseudoType) {
+					return nil
+				}
+			}
+		}
 	}
 
 	elemConvs := make([]conversion, len(tupleEtys))
 	for i, tupleEty := range tupleEtys {
-		if tupleEty.Equals(listEty) {
+		if tupleEty.Equals(setEty) {
 			// no conversion required
 			continue
 		}
 
-		elemConvs[i] = getConversion(tupleEty, listEty, unsafe)
+		elemConvs[i] = getConversion(tupleEty, setEty, unsafe)
 		if elemConvs[i] == nil {
 			// If any of our element conversions are impossible, then the our
 			// whole conversion is impossible.
@@ -244,6 +263,17 @@ func conversionTupleToList(tupleType cty.Type, listEty cty.Type, unsafe bool) co
 		if listEty == cty.NilType {
 			return nil
 		}
+
+		// If the list element type after unification is still the dynamic
+		// type, the only way this can result in a valid list is if all values
+		// are of dynamic type
+		if listEty == cty.DynamicPseudoType {
+			for _, tupleEty := range tupleEtys {
+				if !tupleEty.Equals(cty.DynamicPseudoType) {
+					return nil
+				}
+			}
+		}
 	}
 
 	elemConvs := make([]conversion, len(tupleEtys))
@@ -265,6 +295,7 @@ func conversionTupleToList(tupleType cty.Type, listEty cty.Type, unsafe bool) co
 	// element conversions in elemConvs
 	return func(val cty.Value, path cty.Path) (cty.Value, error) {
 		elems := make([]cty.Value, 0, len(elemConvs))
+		elemTys := make([]cty.Type, 0, len(elems))
 		elemPath := append(path.Copy(), nil)
 		i := int64(0)
 		it := val.ElementIterator()
@@ -284,10 +315,15 @@ func conversionTupleToList(tupleType cty.Type, listEty cty.Type, unsafe bool) co
 				}
 			}
 			elems = append(elems, val)
+			elemTys = append(elemTys, val.Type())
 
 			i++
 		}
 
+		elems, err := conversionUnifyListElements(elems, elemPath, unsafe)
+		if err != nil {
+			return cty.NilVal, err
+		}
 		return cty.ListVal(elems), nil
 	}
 }
@@ -430,6 +466,16 @@ func conversionMapToObject(mapType cty.Type, objType cty.Type, unsafe bool) conv
 			elems[name.AsString()] = val
 		}
 
+		for name, aty := range objectAtys {
+			if _, exists := elems[name]; !exists {
+				if optional := objType.AttributeOptional(name); optional {
+					elems[name] = cty.NullVal(aty)
+				} else {
+					return cty.NilVal, path.NewErrorf("map has no element for required attribute %q", name)
+				}
+			}
+		}
+
 		return cty.ObjectVal(elems), nil
 	}
 }
@@ -441,6 +487,7 @@ func conversionUnifyCollectionElements(elems map[string]cty.Value, path cty.Path
 	}
 	unifiedType, _ := unify(elemTypes, unsafe)
 	if unifiedType == cty.NilType {
+		return nil, path.NewErrorf("collection elements cannot be unified")
 	}
 
 	unifiedElems := make(map[string]cty.Value)
@@ -486,3 +533,37 @@ func conversionCheckMapElementTypes(elems map[string]cty.Value, path cty.Path) e
 
 	return nil
 }
+
+func conversionUnifyListElements(elems []cty.Value, path cty.Path, unsafe bool) ([]cty.Value, error) {
+	elemTypes := make([]cty.Type, len(elems))
+	for i, elem := range elems {
+		elemTypes[i] = elem.Type()
+	}
+	unifiedType, _ := unify(elemTypes, unsafe)
+	if unifiedType == cty.NilType {
+		return nil, path.NewErrorf("collection elements cannot be unified")
+	}
+
+	ret := make([]cty.Value, len(elems))
+	elemPath := append(path.Copy(), nil)
+
+	for i, elem := range elems {
+		if elem.Type().Equals(unifiedType) {
+			ret[i] = elem
+			continue
+		}
+		conv := getConversion(elem.Type(), unifiedType, unsafe)
+		if conv == nil {
+		}
+		elemPath[len(elemPath)-1] = cty.IndexStep{
+			Key: cty.NumberIntVal(int64(i)),
+		}
+		val, err := conv(elem, elemPath)
+		if err != nil {
+			return nil, err
+		}
+		ret[i] = val
+	}
+
+	return ret, nil
+}

vendor/github.com/zclconf/go-cty/cty/convert/conversion_object.go

@@ -11,17 +11,29 @@ import (
 // type, meaning that each attribute of the output type has a corresponding
 // attribute in the input type where a recursive conversion is available.
 //
+// If the "out" type has any optional attributes, those attributes may be
+// absent in the "in" type, in which case null values will be used in their
+// place in the result.
+//
 // Shallow object conversions work the same for both safe and unsafe modes,
 // but the safety flag is passed on to recursive conversions and may thus
 // limit the above definition of "subset".
 func conversionObjectToObject(in, out cty.Type, unsafe bool) conversion {
 	inAtys := in.AttributeTypes()
 	outAtys := out.AttributeTypes()
+	outOptionals := out.OptionalAttributes()
 	attrConvs := make(map[string]conversion)
 
 	for name, outAty := range outAtys {
 		inAty, exists := inAtys[name]
 		if !exists {
+			if _, optional := outOptionals[name]; optional {
+				// If it's optional then we'll skip inserting an
+				// attribute conversion and then deal with inserting
+				// the default value in our overall conversion logic
+				// later.
+				continue
+			}
 			// No conversion is available, then.
 			return nil
 		}
@@ -71,6 +83,13 @@ func conversionObjectToObject(in, out cty.Type, unsafe bool) conversion {
 			attrVals[name] = val
 		}
 
+		for name := range outOptionals {
+			if _, exists := attrVals[name]; !exists {
+				wantTy := outAtys[name]
+				attrVals[name] = cty.NullVal(wantTy)
+			}
+		}
+
 		return cty.ObjectVal(attrVals), nil
 	}
 }

vendor/github.com/zclconf/go-cty/cty/convert/mismatch_msg.go

@@ -78,10 +78,16 @@ func mismatchMessageObjects(got, want cty.Type) string {
 	for name, wantAty := range wantAtys {
 		gotAty, exists := gotAtys[name]
 		if !exists {
-			missingAttrs = append(missingAttrs, name)
+			if !want.AttributeOptional(name) {
+				missingAttrs = append(missingAttrs, name)
+			}
 			continue
 		}
 
+		if gotAty.Equals(wantAty) {
+			continue // exact match, so no problem
+		}
+
 		// We'll now try to convert these attributes in isolation and
 		// see if we have a nested conversion error to report.
 		// We'll try an unsafe conversion first, and then fall back on

vendor/github.com/zclconf/go-cty/cty/function/function.go

@@ -244,19 +244,21 @@ func (f Function) Call(args []cty.Value) (val cty.Value, err error) {
 			return cty.UnknownVal(expectedType), nil
 		}
 
-		if val.IsMarked() && !spec.AllowMarked {
-			unwrappedVal, marks := val.Unmark()
-			// In order to avoid additional overhead on applications that
-			// are not using marked values, we copy the given args only
-			// if we encounter a marked value we need to unmark. However,
-			// as a consequence we end up doing redundant copying if multiple
-			// marked values need to be unwrapped. That seems okay because
-			// argument lists are generally small.
-			newArgs := make([]cty.Value, len(args))
-			copy(newArgs, args)
-			newArgs[i] = unwrappedVal
-			resultMarks = append(resultMarks, marks)
-			args = newArgs
+		if !spec.AllowMarked {
+			unwrappedVal, marks := val.UnmarkDeep()
+			if len(marks) > 0 {
+				// In order to avoid additional overhead on applications that
+				// are not using marked values, we copy the given args only
+				// if we encounter a marked value we need to unmark. However,
+				// as a consequence we end up doing redundant copying if multiple
+				// marked values need to be unwrapped. That seems okay because
+				// argument lists are generally small.
+				newArgs := make([]cty.Value, len(args))
+				copy(newArgs, args)
+				newArgs[i] = unwrappedVal
+				resultMarks = append(resultMarks, marks)
+				args = newArgs
+			}
 		}
 	}
 
@@ -266,13 +268,15 @@ func (f Function) Call(args []cty.Value) (val cty.Value, err error) {
 			if !val.IsKnown() && !spec.AllowUnknown {
 				return cty.UnknownVal(expectedType), nil
 			}
-			if val.IsMarked() && !spec.AllowMarked {
-				unwrappedVal, marks := val.Unmark()
-				newArgs := make([]cty.Value, len(args))
-				copy(newArgs, args)
-				newArgs[len(posArgs)+i] = unwrappedVal
-				resultMarks = append(resultMarks, marks)
-				args = newArgs
+			if !spec.AllowMarked {
+				unwrappedVal, marks := val.UnmarkDeep()
+				if len(marks) > 0 {
+					newArgs := make([]cty.Value, len(args))
+					copy(newArgs, args)
+					newArgs[len(posArgs)+i] = unwrappedVal
+					resultMarks = append(resultMarks, marks)
+					args = newArgs
+				}
 			}
 		}
 	}

vendor/github.com/zclconf/go-cty/cty/function/stdlib/collection.go

@@ -138,6 +138,13 @@ var ElementFunc = function.New(&function.Spec{
 	},
 	Type: func(args []cty.Value) (cty.Type, error) {
 		list := args[0]
+		index := args[1]
+		if index.IsKnown() {
+			if index.LessThan(cty.NumberIntVal(0)).True() {
+				return cty.DynamicPseudoType, fmt.Errorf("cannot use element function with a negative index")
+			}
+		}
+
 		listTy := list.Type()
 		switch {
 		case listTy.IsListType():
@@ -173,6 +180,10 @@ var ElementFunc = function.New(&function.Spec{
 			return cty.DynamicVal, fmt.Errorf("invalid index: %s", err)
 		}
 
+		if args[1].LessThan(cty.NumberIntVal(0)).True() {
+			return cty.DynamicVal, fmt.Errorf("cannot use element function with a negative index")
+		}
+
 		if !args[0].IsKnown() {
 			return cty.UnknownVal(retType), nil
 		}
@@ -240,6 +251,10 @@ var CoalesceListFunc = function.New(&function.Spec{
 				return cty.UnknownVal(retType), nil
 			}
 
+			if arg.IsNull() {
+				continue
+			}
+
 			if arg.LengthInt() > 0 {
 				return arg, nil
 			}
@@ -492,6 +507,11 @@ var FlattenFunc = function.New(&function.Spec{
 // We can flatten lists with unknown values, as long as they are not
 // lists themselves.
 func flattener(flattenList cty.Value) ([]cty.Value, bool) {
+	if !flattenList.Length().IsKnown() {
+		// If we don't know the length of what we're flattening then we can't
+		// predict the length of our result yet either.
+		return nil, false
+	}
 	out := make([]cty.Value, 0)
 	for it := flattenList.ElementIterator(); it.Next(); {
 		_, val := it.Element()
@@ -742,16 +762,10 @@ var MergeFunc = function.New(&function.Spec{
 	Impl: func(args []cty.Value, retType cty.Type) (ret cty.Value, err error) {
 		outputMap := make(map[string]cty.Value)
 
-		// if all inputs are null, return a null value rather than an object
-		// with null attributes
-		allNull := true
 		for _, arg := range args {
 			if arg.IsNull() {
 				continue
-			} else {
-				allNull = false
 			}
-
 			for it := arg.ElementIterator(); it.Next(); {
 				k, v := it.Element()
 				outputMap[k.AsString()] = v
@@ -759,9 +773,10 @@ var MergeFunc = function.New(&function.Spec{
 		}
 
 		switch {
-		case allNull:
-			return cty.NullVal(retType), nil
 		case retType.IsMapType():
+			if len(outputMap) == 0 {
+				return cty.MapValEmpty(retType.ElementType()), nil
+			}
 			return cty.MapVal(outputMap), nil
 		case retType.IsObjectType(), retType.Equals(cty.DynamicPseudoType):
 			return cty.ObjectVal(outputMap), nil
@@ -869,6 +884,10 @@ var SetProductFunc = function.New(&function.Spec{
 
 		total := 1
 		for _, arg := range args {
+			if !arg.Length().IsKnown() {
+				return cty.UnknownVal(retType), nil
+			}
+
 			// Because of our type checking function, we are guaranteed that
 			// all of the arguments are known, non-null values of types that
 			// support LengthInt.
@@ -1016,7 +1035,8 @@ func sliceIndexes(args []cty.Value) (int, int, bool, error) {
 	var startIndex, endIndex, length int
 	var startKnown, endKnown, lengthKnown bool
 
-	if args[0].Type().IsTupleType() || args[0].IsKnown() { // if it's a tuple then we always know the length by the type, but lists must be known
+	// If it's a tuple then we always know the length by the type, but collections might be unknown or have unknown length
+	if args[0].Type().IsTupleType() || args[0].Length().IsKnown() {
 		length = args[0].LengthInt()
 		lengthKnown = true
 	}

vendor/github.com/zclconf/go-cty/cty/function/stdlib/datetime.go

@@ -362,9 +362,14 @@ func splitDateFormat(data []byte, atEOF bool) (advance int, token []byte, err er
 		for i := 1; i < len(data); i++ {
 			if data[i] == esc {
 				if (i + 1) == len(data) {
-					// We need at least one more byte to decide if this is an
-					// escape or a terminator.
-					return 0, nil, nil
+					if atEOF {
+						// We have a closing quote and are at the end of our input
+						return len(data), data, nil
+					} else {
+						// We need at least one more byte to decide if this is an
+						// escape or a terminator.
+						return 0, nil, nil
+					}
 				}
 				if data[i+1] == esc {
 					i++ // doubled-up quotes are an escape sequence

vendor/github.com/zclconf/go-cty/cty/function/stdlib/format.go

@@ -85,7 +85,7 @@ var FormatListFunc = function.New(&function.Spec{
 			argTy := arg.Type()
 			switch {
 			case (argTy.IsListType() || argTy.IsSetType() || argTy.IsTupleType()) && !arg.IsNull():
-				if !argTy.IsTupleType() && !arg.IsKnown() {
+				if !argTy.IsTupleType() && !(arg.IsKnown() && arg.Length().IsKnown()) {
 					// We can't iterate this one at all yet then, so we can't
 					// yet produce a result.
 					unknowns[i] = true

vendor/github.com/zclconf/go-cty/cty/function/stdlib/json.go

@@ -12,6 +12,7 @@ var JSONEncodeFunc = function.New(&function.Spec{
 			Name:             "val",
 			Type:             cty.DynamicPseudoType,
 			AllowDynamicType: true,
+			AllowNull:        true,
 		},
 	},
 	Type: function.StaticReturnType(cty.String),
@@ -24,6 +25,10 @@ var JSONEncodeFunc = function.New(&function.Spec{
 			return cty.UnknownVal(retType), nil
 		}
 
+		if val.IsNull() {
+			return cty.StringVal("null"), nil
+		}
+
 		buf, err := json.Marshal(val, val.Type())
 		if err != nil {
 			return cty.NilVal, err

vendor/github.com/zclconf/go-cty/cty/function/stdlib/set.go

@@ -44,7 +44,7 @@ var SetUnionFunc = function.New(&function.Spec{
 	Type: setOperationReturnType,
 	Impl: setOperationImpl(func(s1, s2 cty.ValueSet) cty.ValueSet {
 		return s1.Union(s2)
-	}),
+	}, true),
 })
 
 var SetIntersectionFunc = function.New(&function.Spec{
@@ -63,7 +63,7 @@ var SetIntersectionFunc = function.New(&function.Spec{
 	Type: setOperationReturnType,
 	Impl: setOperationImpl(func(s1, s2 cty.ValueSet) cty.ValueSet {
 		return s1.Intersection(s2)
-	}),
+	}, false),
 })
 
 var SetSubtractFunc = function.New(&function.Spec{
@@ -82,7 +82,7 @@ var SetSubtractFunc = function.New(&function.Spec{
 	Type: setOperationReturnType,
 	Impl: setOperationImpl(func(s1, s2 cty.ValueSet) cty.ValueSet {
 		return s1.Subtract(s2)
-	}),
+	}, false),
 })
 
 var SetSymmetricDifferenceFunc = function.New(&function.Spec{
@@ -100,8 +100,8 @@ var SetSymmetricDifferenceFunc = function.New(&function.Spec{
 	},
 	Type: setOperationReturnType,
 	Impl: setOperationImpl(func(s1, s2 cty.ValueSet) cty.ValueSet {
-		return s1.Subtract(s2)
-	}),
+		return s1.SymmetricDifference(s2)
+	}, false),
 })
 
 // SetHasElement determines whether the given set contains the given value as an
@@ -163,8 +163,23 @@ func SetSymmetricDifference(sets ...cty.Value) (cty.Value, error) {
 func setOperationReturnType(args []cty.Value) (ret cty.Type, err error) {
 	var etys []cty.Type
 	for _, arg := range args {
-		etys = append(etys, arg.Type().ElementType())
+		ty := arg.Type().ElementType()
+
+		// Do not unify types for empty dynamic pseudo typed collections. These
+		// will always convert to any other concrete type.
+		if arg.IsKnown() && arg.LengthInt() == 0 && ty.Equals(cty.DynamicPseudoType) {
+			continue
+		}
+
+		etys = append(etys, ty)
 	}
+
+	// If all element types were skipped (due to being empty dynamic collections),
+	// the return type should also be a set of dynamic pseudo type.
+	if len(etys) == 0 {
+		return cty.Set(cty.DynamicPseudoType), nil
+	}
+
 	newEty, _ := convert.UnifyUnsafe(etys)
 	if newEty == cty.NilType {
 		return cty.NilType, fmt.Errorf("given sets must all have compatible element types")
@@ -172,13 +187,21 @@ func setOperationReturnType(args []cty.Value) (ret cty.Type, err error) {
 	return cty.Set(newEty), nil
 }
 
-func setOperationImpl(f func(s1, s2 cty.ValueSet) cty.ValueSet) function.ImplFunc {
+func setOperationImpl(f func(s1, s2 cty.ValueSet) cty.ValueSet, allowUnknowns bool) function.ImplFunc {
 	return func(args []cty.Value, retType cty.Type) (ret cty.Value, err error) {
 		first := args[0]
 		first, err = convert.Convert(first, retType)
 		if err != nil {
 			return cty.NilVal, function.NewArgError(0, err)
 		}
+		if !allowUnknowns && !first.IsWhollyKnown() {
+			// This set function can produce a correct result only when all
+			// elements are known, because eventually knowing the unknown
+			// values may cause the result to have fewer known elements, or
+			// might cause a result with no unknown elements at all to become
+			// one with a different length.
+			return cty.UnknownVal(retType), nil
+		}
 
 		set := first.AsValueSet()
 		for i, arg := range args[1:] {
@@ -186,6 +209,10 @@ func setOperationImpl(f func(s1, s2 cty.ValueSet) cty.ValueSet) function.ImplFun
 			if err != nil {
 				return cty.NilVal, function.NewArgError(i+1, err)
 			}
+			if !allowUnknowns && !arg.IsWhollyKnown() {
+				// (For the same reason as we did this check for "first" above.)
+				return cty.UnknownVal(retType), nil
+			}
 
 			argSet := arg.AsValueSet()
 			set = f(set, argSet)

vendor/github.com/zclconf/go-cty/cty/json.go

@@ -4,6 +4,7 @@ import (
 	"bytes"
 	"encoding/json"
 	"fmt"
+	"sort"
 )
 
 // MarshalJSON is an implementation of json.Marshaler that allows Type
@@ -52,6 +53,19 @@ func (t Type) MarshalJSON() ([]byte, error) {
 		}
 		buf.WriteString(`["object",`)
 		buf.Write(atysJSON)
+		if optionals := t.OptionalAttributes(); len(optionals) > 0 {
+			buf.WriteByte(',')
+			optionalNames := make([]string, 0, len(optionals))
+			for k := range optionals {
+				optionalNames = append(optionalNames, k)
+			}
+			sort.Strings(optionalNames)
+			optionalsJSON, err := json.Marshal(optionalNames)
+			if err != nil {
+				return nil, err
+			}
+			buf.Write(optionalsJSON)
+		}
 		buf.WriteRune(']')
 		return buf.Bytes(), nil
 	case typeTuple:
@@ -148,7 +162,16 @@ func (t *Type) UnmarshalJSON(buf []byte) error {
 			if err != nil {
 				return err
 			}
-			*t = Object(atys)
+			if dec.More() {
+				var optionals []string
+				err = dec.Decode(&optionals)
+				if err != nil {
+					return err
+				}
+				*t = ObjectWithOptionalAttrs(atys, optionals)
+			} else {
+				*t = Object(atys)
+			}
 		case "tuple":
 			var etys []Type
 			err = dec.Decode(&etys)

vendor/github.com/zclconf/go-cty/cty/json/marshal.go

@@ -10,7 +10,7 @@ import (
 
 func marshal(val cty.Value, t cty.Type, path cty.Path, b *bytes.Buffer) error {
 	if val.IsMarked() {
-		return path.NewErrorf("value has marks, so it cannot be seralized")
+		return path.NewErrorf("value has marks, so it cannot be serialized as JSON")
 	}
 
 	// If we're going to decode as DynamicPseudoType then we need to save

vendor/github.com/zclconf/go-cty/cty/marks.go

@@ -67,6 +67,23 @@ func (m ValueMarks) GoString() string {
 	return s.String()
 }
 
+// PathValueMarks is a structure that enables tracking marks
+// and the paths where they are located in one type
+type PathValueMarks struct {
+	Path  Path
+	Marks ValueMarks
+}
+
+func (p PathValueMarks) Equal(o PathValueMarks) bool {
+	if !p.Path.Equals(o.Path) {
+		return false
+	}
+	if !p.Marks.Equal(o.Marks) {
+		return false
+	}
+	return true
+}
+
 // IsMarked returns true if and only if the receiving value carries at least
 // one mark. A marked value cannot be used directly with integration methods
 // without explicitly unmarking it (and retrieving the markings) first.
@@ -174,6 +191,31 @@ func (val Value) Mark(mark interface{}) Value {
 	}
 }
 
+type applyPathValueMarksTransformer struct {
+	pvm []PathValueMarks
+}
+
+func (t *applyPathValueMarksTransformer) Enter(p Path, v Value) (Value, error) {
+	return v, nil
+}
+
+func (t *applyPathValueMarksTransformer) Exit(p Path, v Value) (Value, error) {
+	for _, path := range t.pvm {
+		if p.Equals(path.Path) {
+			return v.WithMarks(path.Marks), nil
+		}
+	}
+	return v, nil
+}
+
+// MarkWithPaths accepts a slice of PathValueMarks to apply
+// markers to particular paths and returns the marked
+// Value.
+func (val Value) MarkWithPaths(pvm []PathValueMarks) Value {
+	ret, _ := TransformWithTransformer(val, &applyPathValueMarksTransformer{pvm})
+	return ret
+}
+
 // Unmark separates the marks of the receiving value from the value itself,
 // removing a new unmarked value and a map (representing a set) of the marks.
 //
@@ -191,6 +233,24 @@ func (val Value) Unmark() (Value, ValueMarks) {
 	}, marks
 }
 
+type unmarkTransformer struct {
+	pvm []PathValueMarks
+}
+
+func (t *unmarkTransformer) Enter(p Path, v Value) (Value, error) {
+	unmarkedVal, marks := v.Unmark()
+	if len(marks) > 0 {
+		path := make(Path, len(p), len(p)+1)
+		copy(path, p)
+		t.pvm = append(t.pvm, PathValueMarks{path, marks})
+	}
+	return unmarkedVal, nil
+}
+
+func (t *unmarkTransformer) Exit(p Path, v Value) (Value, error) {
+	return v, nil
+}
+
 // UnmarkDeep is similar to Unmark, but it works with an entire nested structure
 // rather than just the given value directly.
 //
@@ -198,17 +258,29 @@ func (val Value) Unmark() (Value, ValueMarks) {
 // the returned marks set includes the superset of all of the marks encountered
 // during the operation.
 func (val Value) UnmarkDeep() (Value, ValueMarks) {
+	t := unmarkTransformer{}
+	ret, _ := TransformWithTransformer(val, &t)
+
 	marks := make(ValueMarks)
-	ret, _ := Transform(val, func(_ Path, v Value) (Value, error) {
-		unmarkedV, valueMarks := v.Unmark()
-		for m, s := range valueMarks {
+	for _, pvm := range t.pvm {
+		for m, s := range pvm.Marks {
 			marks[m] = s
 		}
-		return unmarkedV, nil
-	})
+	}
+
 	return ret, marks
 }
 
+// UnmarkDeepWithPaths is like UnmarkDeep, except it returns a slice
+// of PathValueMarks rather than a superset of all marks. This allows
+// a caller to know which marks are associated with which paths
+// in the Value.
+func (val Value) UnmarkDeepWithPaths() (Value, []PathValueMarks) {
+	t := unmarkTransformer{}
+	ret, _ := TransformWithTransformer(val, &t)
+	return ret, t.pvm
+}
+
 func (val Value) unmarkForce() Value {
 	unw, _ := val.Unmark()
 	return unw

vendor/github.com/zclconf/go-cty/cty/object_type.go

@@ -2,11 +2,13 @@ package cty
 
 import (
 	"fmt"
+	"sort"
 )
 
 type typeObject struct {
 	typeImplSigil
-	AttrTypes map[string]Type
+	AttrTypes    map[string]Type
+	AttrOptional map[string]struct{}
 }
 
 // Object creates an object type with the given attribute types.
@@ -14,14 +16,52 @@ type typeObject struct {
 // After a map is passed to this function the caller must no longer access it,
 // since ownership is transferred to this library.
 func Object(attrTypes map[string]Type) Type {
+	return ObjectWithOptionalAttrs(attrTypes, nil)
+}
+
+// ObjectWithOptionalAttrs creates an object type where some of its attributes
+// are optional.
+//
+// This function is EXPERIMENTAL. The behavior of the function or of any other
+// functions working either directly or indirectly with a type created by
+// this function is not currently considered as a compatibility constraint, and
+// is subject to change even in minor-version releases of this module. Other
+// modules that work with cty types and values may or may not support object
+// types with optional attributes; if they do not, their behavior when
+// receiving one may be non-ideal.
+//
+// Optional attributes are significant only when an object type is being used
+// as a target type for conversion in the "convert" package. A value of an
+// object type always has a value for each of the attributes in the attribute
+// types table, with optional values replaced with null during conversion.
+//
+// All keys in the optional slice must also exist in the attrTypes map. If not,
+// this function will panic.
+//
+// After a map or array is passed to this function the caller must no longer
+// access it, since ownership is transferred to this library.
+func ObjectWithOptionalAttrs(attrTypes map[string]Type, optional []string) Type {
 	attrTypesNorm := make(map[string]Type, len(attrTypes))
 	for k, v := range attrTypes {
 		attrTypesNorm[NormalizeString(k)] = v
 	}
 
+	var optionalSet map[string]struct{}
+	if len(optional) > 0 {
+		optionalSet = make(map[string]struct{}, len(optional))
+		for _, k := range optional {
+			k = NormalizeString(k)
+			if _, exists := attrTypesNorm[k]; !exists {
+				panic(fmt.Sprintf("optional contains undeclared attribute %q", k))
+			}
+			optionalSet[k] = struct{}{}
+		}
+	}
+
 	return Type{
 		typeObject{
-			AttrTypes: attrTypesNorm,
+			AttrTypes:    attrTypesNorm,
+			AttrOptional: optionalSet,
 		},
 	}
 }
@@ -44,6 +84,11 @@ func (t typeObject) Equals(other Type) bool {
 			if !oty.Equals(ty) {
 				return false
 			}
+			_, opt := t.AttrOptional[attr]
+			_, oopt := ot.AttrOptional[attr]
+			if opt != oopt {
+				return false
+			}
 		}
 
 		return true
@@ -66,6 +111,14 @@ func (t typeObject) GoString() string {
 	if len(t.AttrTypes) == 0 {
 		return "cty.EmptyObject"
 	}
+	if len(t.AttrOptional) > 0 {
+		opt := make([]string, len(t.AttrOptional))
+		for k := range t.AttrOptional {
+			opt = append(opt, k)
+		}
+		sort.Strings(opt)
+		return fmt.Sprintf("cty.ObjectWithOptionalAttrs(%#v, %#v)", t.AttrTypes, opt)
+	}
 	return fmt.Sprintf("cty.Object(%#v)", t.AttrTypes)
 }
 
@@ -133,3 +186,35 @@ func (t Type) AttributeTypes() map[string]Type {
 	}
 	panic("AttributeTypes on non-object Type")
 }
+
+// OptionalAttributes returns a map representing the set of attributes
+// that are optional. Will panic if the receiver is not an object type
+// (use IsObjectType to confirm).
+//
+// The returned map is part of the internal state of the type, and is provided
+// for read access only. It is forbidden for any caller to modify the returned
+// map.
+func (t Type) OptionalAttributes() map[string]struct{} {
+	if ot, ok := t.typeImpl.(typeObject); ok {
+		return ot.AttrOptional
+	}
+	panic("OptionalAttributes on non-object Type")
+}
+
+// AttributeOptional returns true if the attribute of the given name is
+// optional.
+//
+// Will panic if the receiver is not an object type (use IsObjectType to
+// confirm) or if the object type has no such attribute (use HasAttribute to
+// confirm).
+func (t Type) AttributeOptional(name string) bool {
+	name = NormalizeString(name)
+	if ot, ok := t.typeImpl.(typeObject); ok {
+		if _, hasAttr := ot.AttrTypes[name]; !hasAttr {
+			panic("no such attribute")
+		}
+		_, exists := ot.AttrOptional[name]
+		return exists
+	}
+	panic("AttributeDefaultValue on non-object Type")
+}

vendor/github.com/zclconf/go-cty/cty/path_set.go

@@ -196,3 +196,9 @@ func (r pathSetRules) Equivalent(a, b interface{}) bool {
 
 	return true
 }
+
+// SameRules is true if both Rules instances are pathSetRules structs.
+func (r pathSetRules) SameRules(other set.Rules) bool {
+	_, ok := other.(pathSetRules)
+	return ok
+}

vendor/github.com/zclconf/go-cty/cty/set/rules.go

@@ -22,6 +22,10 @@ type Rules interface {
 	// though it is *not* required that two values with the same hash value
 	// be equivalent.
 	Equivalent(interface{}, interface{}) bool
+
+	// SameRules returns true if the instance is equivalent to another Rules
+	// instance.
+	SameRules(Rules) bool
 }
 
 // OrderedRules is an extension of Rules that can apply a partial order to

vendor/github.com/zclconf/go-cty/cty/set/set.go

@@ -41,7 +41,7 @@ func NewSetFromSlice(rules Rules, vals []interface{}) Set {
 }
 
 func sameRules(s1 Set, s2 Set) bool {
-	return s1.rules == s2.rules
+	return s1.rules.SameRules(s2.rules)
 }
 
 func mustHaveSameRules(s1 Set, s2 Set) {
@@ -53,7 +53,7 @@ func mustHaveSameRules(s1 Set, s2 Set) {
 // HasRules returns true if and only if the receiving set has the given rules
 // instance as its rules.
 func (s Set) HasRules(rules Rules) bool {
-	return s.rules == rules
+	return s.rules.SameRules(rules)
 }
 
 // Rules returns the receiving set's rules instance.

vendor/github.com/zclconf/go-cty/cty/set_internals.go

@@ -65,6 +65,17 @@ func (r setRules) Equivalent(v1 interface{}, v2 interface{}) bool {
 	return eqv.v == true
 }
 
+// SameRules is only true if the other Rules instance is also a setRules struct,
+// and the types are considered equal.
+func (r setRules) SameRules(other set.Rules) bool {
+	rules, ok := other.(setRules)
+	if !ok {
+		return false
+	}
+
+	return r.Type.Equals(rules.Type)
+}
+
 // Less is an implementation of set.OrderedRules so that we can iterate over
 // set elements in a consistent order, where such an order is possible.
 func (r setRules) Less(v1, v2 interface{}) bool {

vendor/github.com/zclconf/go-cty/cty/type.go

@@ -36,6 +36,9 @@ func (t typeImplSigil) isTypeImpl() typeImplSigil {
 // Equals returns true if the other given Type exactly equals the receiver
 // type.
 func (t Type) Equals(other Type) bool {
+	if t == NilType || other == NilType {
+		return t == other
+	}
 	return t.typeImpl.Equals(other)
 }
 
@@ -87,7 +90,7 @@ func (t Type) HasDynamicTypes() bool {
 	case t.IsPrimitiveType():
 		return false
 	case t.IsCollectionType():
-		return false
+		return t.ElementType().HasDynamicTypes()
 	case t.IsObjectType():
 		attrTypes := t.AttributeTypes()
 		for _, at := range attrTypes {

vendor/github.com/zclconf/go-cty/cty/unknown.go

@@ -5,7 +5,8 @@ package cty
 type unknownType struct {
 }
 
-// Unknown is a special value that can be
+// unknown is a special value that can be used as the internal value of a
+// Value to create a placeholder for a value that isn't yet known.
 var unknown interface{} = &unknownType{}
 
 // UnknownVal returns an Value that represents an unknown value of the given

vendor/github.com/zclconf/go-cty/cty/value.go

@@ -106,3 +106,37 @@ func (val Value) IsWhollyKnown() bool {
 		return true
 	}
 }
+
+// HasWhollyKnownType checks if the value is dynamic, or contains any nested
+// DynamicVal. This implies that both the value is not known, and the final
+// type may change.
+func (val Value) HasWhollyKnownType() bool {
+	// a null dynamic type is known
+	if val.IsNull() {
+		return true
+	}
+
+	// an unknown DynamicPseudoType is a DynamicVal, but we don't want to
+	// check that value for equality here, since this method is used within the
+	// equality check.
+	if !val.IsKnown() && val.ty == DynamicPseudoType {
+		return false
+	}
+
+	if val.CanIterateElements() {
+		// if the value is not known, then we can look directly at the internal
+		// types
+		if !val.IsKnown() {
+			return !val.ty.HasDynamicTypes()
+		}
+
+		for it := val.ElementIterator(); it.Next(); {
+			_, ev := it.Element()
+			if !ev.HasWhollyKnownType() {
+				return false
+			}
+		}
+	}
+
+	return true
+}

vendor/github.com/zclconf/go-cty/cty/value_init.go

@@ -247,11 +247,6 @@ func SetVal(vals []Value) Value {
 			val = unmarkedVal
 			markSets = append(markSets, marks)
 		}
-		if val.ContainsMarked() {
-			// FIXME: Allow this, but unmark the values and apply the
-			// marking to the set itself instead.
-			panic("set cannot contain marked values")
-		}
 		if elementType == DynamicPseudoType {
 			elementType = val.ty
 		} else if val.ty != DynamicPseudoType && !elementType.Equals(val.ty) {

vendor/github.com/zclconf/go-cty/cty/value_ops.go

@@ -3,7 +3,6 @@ package cty
 import (
 	"fmt"
 	"math/big"
-	"reflect"
 
 	"github.com/zclconf/go-cty/cty/set"
 )
@@ -133,9 +132,9 @@ func (val Value) Equals(other Value) Value {
 	case val.IsKnown() && !other.IsKnown():
 		switch {
 		case val.IsNull(), other.ty.HasDynamicTypes():
-			// If known is Null, we need to wait for the unkown value since
+			// If known is Null, we need to wait for the unknown value since
 			// nulls of any type are equal.
-			// An unkown with a dynamic type compares as unknown, which we need
+			// An unknown with a dynamic type compares as unknown, which we need
 			// to check before the type comparison below.
 			return UnknownVal(Bool)
 		case !val.ty.Equals(other.ty):
@@ -148,9 +147,9 @@ func (val Value) Equals(other Value) Value {
 	case other.IsKnown() && !val.IsKnown():
 		switch {
 		case other.IsNull(), val.ty.HasDynamicTypes():
-			// If known is Null, we need to wait for the unkown value since
+			// If known is Null, we need to wait for the unknown value since
 			// nulls of any type are equal.
-			// An unkown with a dynamic type compares as unknown, which we need
+			// An unknown with a dynamic type compares as unknown, which we need
 			// to check before the type comparison below.
 			return UnknownVal(Bool)
 		case !other.ty.Equals(val.ty):
@@ -171,7 +170,15 @@ func (val Value) Equals(other Value) Value {
 		return BoolVal(false)
 	}
 
-	if val.ty.HasDynamicTypes() || other.ty.HasDynamicTypes() {
+	// Check if there are any nested dynamic values making this comparison
+	// unknown.
+	if !val.HasWhollyKnownType() || !other.HasWhollyKnownType() {
+		// Even if we have dynamic values, we can still determine inequality if
+		// there is no way the types could later conform.
+		if val.ty.TestConformance(other.ty) != nil && other.ty.TestConformance(val.ty) != nil {
+			return BoolVal(false)
+		}
+
 		return UnknownVal(Bool)
 	}
 
@@ -262,24 +269,26 @@ func (val Value) Equals(other Value) Value {
 		s2 := other.v.(set.Set)
 		equal := true
 
-		// Note that by our definition of sets it's never possible for two
-		// sets that contain unknown values (directly or indicrectly) to
-		// ever be equal, even if they are otherwise identical.
-
-		// FIXME: iterating both lists and checking each item is not the
-		// ideal implementation here, but it works with the primitives we
-		// have in the set implementation. Perhaps the set implementation
-		// can provide its own equality test later.
-		s1.EachValue(func(v interface{}) {
-			if !s2.Has(v) {
+		// Two sets are equal if all of their values are known and all values
+		// in one are also in the other.
+		for it := s1.Iterator(); it.Next(); {
+			rv := it.Value()
+			if rv == unknown { // "unknown" is the internal representation of unknown-ness
+				return UnknownVal(Bool)
+			}
+			if !s2.Has(rv) {
 				equal = false
 			}
-		})
-		s2.EachValue(func(v interface{}) {
-			if !s1.Has(v) {
+		}
+		for it := s2.Iterator(); it.Next(); {
+			rv := it.Value()
+			if rv == unknown { // "unknown" is the internal representation of unknown-ness
+				return UnknownVal(Bool)
+			}
+			if !s1.Has(rv) {
 				equal = false
 			}
-		})
+		}
 
 		result = equal
 	case ty.IsMapType():
@@ -454,17 +463,32 @@ func (val Value) RawEquals(other Value) bool {
 			return true
 		}
 		return false
+
 	case ty.IsSetType():
-		s1 := val.v.(set.Set)
-		s2 := other.v.(set.Set)
+		// Convert the set values into a slice so that we can compare each
+		// value. This is safe because the underlying sets are ordered (see
+		// setRules in set_internals.go), and so the results are guaranteed to
+		// be in a consistent order for two equal sets
+		setList1 := val.AsValueSlice()
+		setList2 := other.AsValueSlice()
+
+		// If both physical sets have the same length and they have all of their
+		// _known_ values in common, we know that both sets also have the same
+		// number of unknown values.
+		if len(setList1) != len(setList2) {
+			return false
+		}
+
+		for i := range setList1 {
+			eq := setList1[i].RawEquals(setList2[i])
+			if !eq {
+				return false
+			}
+		}
 
-		// Since we're intentionally ignoring our rule that two unknowns
-		// are never equal, we can cheat here.
-		// (This isn't 100% right since e.g. it will fail if the set contains
-		// numbers that are infinite, which DeepEqual can't compare properly.
-		// We're accepting that limitation for simplicity here, since this
-		// function is here primarily for testing.)
-		return reflect.DeepEqual(s1, s2)
+		// If we got here without returning false already then our sets are
+		// equal enough for RawEquals purposes.
+		return true
 
 	case ty.IsMapType():
 		ety := ty.typeImpl.(typeMap).ElementTypeT
@@ -572,8 +596,25 @@ func (val Value) Multiply(other Value) Value {
 		return *shortCircuit
 	}
 
-	ret := new(big.Float)
+	// find the larger precision of the arguments
+	resPrec := val.v.(*big.Float).Prec()
+	otherPrec := other.v.(*big.Float).Prec()
+	if otherPrec > resPrec {
+		resPrec = otherPrec
+	}
+
+	// make sure we have enough precision for the product
+	ret := new(big.Float).SetPrec(512)
 	ret.Mul(val.v.(*big.Float), other.v.(*big.Float))
+
+	// now reduce the precision back to the greater argument, or the minimum
+	// required by the product.
+	minPrec := ret.MinPrec()
+	if minPrec > resPrec {
+		resPrec = minPrec
+	}
+	ret.SetPrec(resPrec)
+
 	return NumberVal(ret)
 }
 
@@ -645,11 +686,14 @@ func (val Value) Modulo(other Value) Value {
 	// FIXME: This is a bit clumsy. Should come back later and see if there's a
 	// more straightforward way to do this.
 	rat := val.Divide(other)
-	ratFloorInt := &big.Int{}
-	rat.v.(*big.Float).Int(ratFloorInt)
-	work := (&big.Float{}).SetInt(ratFloorInt)
+	ratFloorInt, _ := rat.v.(*big.Float).Int(nil)
+
+	// start with a copy of the original larger value so that we do not lose
+	// precision.
+	v := val.v.(*big.Float)
+	work := new(big.Float).Copy(v).SetInt(ratFloorInt)
 	work.Mul(other.v.(*big.Float), work)
-	work.Sub(val.v.(*big.Float), work)
+	work.Sub(v, work)
 
 	return NumberVal(work)
 }
@@ -947,8 +991,7 @@ func (val Value) HasElement(elem Value) Value {
 // If the receiver is null then this function will panic.
 //
 // Note that Length is not supported for strings. To determine the length
-// of a string, call AsString and take the length of the native Go string
-// that is returned.
+// of a string, use the Length function in funcs/stdlib.
 func (val Value) Length() Value {
 	if val.IsMarked() {
 		val, valMarks := val.Unmark()
@@ -963,6 +1006,25 @@ func (val Value) Length() Value {
 	if !val.IsKnown() {
 		return UnknownVal(Number)
 	}
+	if val.Type().IsSetType() {
+		// The Length rules are a little different for sets because if any
+		// unknown values are present then the values they are standing in for
+		// may or may not be equal to other elements in the set, and thus they
+		// may or may not coalesce with other elements and produce fewer
+		// items in the resulting set.
+		storeLength := int64(val.v.(set.Set).Length())
+		if storeLength == 1 || val.IsWhollyKnown() {
+			// If our set is wholly known then we know its length.
+			//
+			// We also know the length if the physical store has only one
+			// element, even if that element is unknown, because there's
+			// nothing else in the set for it to coalesce with and a single
+			// unknown value cannot represent more than one known value.
+			return NumberIntVal(storeLength)
+		}
+		// Otherwise, we cannot predict the length.
+		return UnknownVal(Number)
+	}
 
 	return NumberIntVal(int64(val.LengthInt()))
 }
@@ -972,6 +1034,13 @@ func (val Value) Length() Value {
 //
 // This is an integration method provided for the convenience of code bridging
 // into Go's type system.
+//
+// For backward compatibility with an earlier implementation error, LengthInt's
+// result can disagree with Length's result for any set containing unknown
+// values. Length can potentially indicate the set's length is unknown in that
+// case, whereas LengthInt will return the maximum possible length as if the
+// unknown values were each a placeholder for a value not equal to any other
+// value in the set.
 func (val Value) LengthInt() int {
 	val.assertUnmarked()
 	if val.Type().IsTupleType() {
@@ -995,6 +1064,15 @@ func (val Value) LengthInt() int {
 		return len(val.v.([]interface{}))
 
 	case val.ty.IsSetType():
+		// NOTE: This is technically not correct in cases where the set
+		// contains unknown values, because in that case we can't know how
+		// many known values those unknown values are standing in for -- they
+		// might coalesce with other values once known.
+		//
+		// However, this incorrect behavior is preserved for backward
+		// compatibility with callers that were relying on LengthInt rather
+		// than calling Length. Instead of panicking when a set contains an
+		// unknown value, LengthInt returns the largest possible length.
 		return val.v.(set.Set).Length()
 
 	case val.ty.IsMapType():

vendor/github.com/zclconf/go-cty/cty/walk.go

@@ -61,6 +61,34 @@ func walk(path Path, val Value, cb func(Path, Value) (bool, error)) error {
 	return nil
 }
 
+// Transformer is the interface used to optionally transform values in a
+// possibly-complex structure. The Enter method is called before traversing
+// through a given path, and the Exit method is called when traversal of a
+// path is complete.
+//
+// Use Enter when you want to transform a complex value before traversal
+// (preorder), and Exit when you want to transform a value after traversal
+// (postorder).
+//
+// The path passed to the given function may not be used after that function
+// returns, since its backing array is re-used for other calls.
+type Transformer interface {
+	Enter(Path, Value) (Value, error)
+	Exit(Path, Value) (Value, error)
+}
+
+type postorderTransformer struct {
+	callback func(Path, Value) (Value, error)
+}
+
+func (t *postorderTransformer) Enter(p Path, v Value) (Value, error) {
+	return v, nil
+}
+
+func (t *postorderTransformer) Exit(p Path, v Value) (Value, error) {
+	return t.callback(p, v)
+}
+
 // Transform visits all of the values in a possibly-complex structure,
 // calling a given function for each value which has an opportunity to
 // replace that value.
@@ -77,7 +105,7 @@ func walk(path Path, val Value, cb func(Path, Value) (bool, error)) error {
 // value constructor functions. An easy way to preserve invariants is to
 // ensure that the transform function never changes the value type.
 //
-// The callback function my halt the walk altogether by
+// The callback function may halt the walk altogether by
 // returning a non-nil error. If the returned error is about the element
 // currently being visited, it is recommended to use the provided path
 // value to produce a PathError describing that context.
@@ -86,10 +114,23 @@ func walk(path Path, val Value, cb func(Path, Value) (bool, error)) error {
 // returns, since its backing array is re-used for other calls.
 func Transform(val Value, cb func(Path, Value) (Value, error)) (Value, error) {
 	var path Path
-	return transform(path, val, cb)
+	return transform(path, val, &postorderTransformer{cb})
+}
+
+// TransformWithTransformer allows the caller to more closely control the
+// traversal used for transformation. See the documentation for Transformer for
+// more details.
+func TransformWithTransformer(val Value, t Transformer) (Value, error) {
+	var path Path
+	return transform(path, val, t)
 }
 
-func transform(path Path, val Value, cb func(Path, Value) (Value, error)) (Value, error) {
+func transform(path Path, val Value, t Transformer) (Value, error) {
+	val, err := t.Enter(path, val)
+	if err != nil {
+		return DynamicVal, err
+	}
+
 	ty := val.Type()
 	var newVal Value
 
@@ -112,7 +153,7 @@ func transform(path Path, val Value, cb func(Path, Value) (Value, error)) (Value
 				path := append(path, IndexStep{
 					Key: kv,
 				})
-				newEv, err := transform(path, ev, cb)
+				newEv, err := transform(path, ev, t)
 				if err != nil {
 					return DynamicVal, err
 				}
@@ -143,7 +184,7 @@ func transform(path Path, val Value, cb func(Path, Value) (Value, error)) (Value
 				path := append(path, IndexStep{
 					Key: kv,
 				})
-				newEv, err := transform(path, ev, cb)
+				newEv, err := transform(path, ev, t)
 				if err != nil {
 					return DynamicVal, err
 				}
@@ -165,7 +206,7 @@ func transform(path Path, val Value, cb func(Path, Value) (Value, error)) (Value
 				path := append(path, GetAttrStep{
 					Name: name,
 				})
-				newAV, err := transform(path, av, cb)
+				newAV, err := transform(path, av, t)
 				if err != nil {
 					return DynamicVal, err
 				}
@@ -178,5 +219,9 @@ func transform(path Path, val Value, cb func(Path, Value) (Value, error)) (Value
 		newVal = val
 	}
 
-	return cb(path, newVal)
+	newVal, err = t.Exit(path, newVal)
+	if err != nil {
+		return DynamicVal, err
+	}
+	return newVal, err
 }

vendor/golang.org/x/crypto/bcrypt/base64.go

@@ -0,0 +1,35 @@
+// Copyright 2011 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package bcrypt
+
+import "encoding/base64"
+
+const alphabet = "./ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"
+
+var bcEncoding = base64.NewEncoding(alphabet)
+
+func base64Encode(src []byte) []byte {
+	n := bcEncoding.EncodedLen(len(src))
+	dst := make([]byte, n)
+	bcEncoding.Encode(dst, src)
+	for dst[n-1] == '=' {
+		n--
+	}
+	return dst[:n]
+}
+
+func base64Decode(src []byte) ([]byte, error) {
+	numOfEquals := 4 - (len(src) % 4)
+	for i := 0; i < numOfEquals; i++ {
+		src = append(src, '=')
+	}
+
+	dst := make([]byte, bcEncoding.DecodedLen(len(src)))
+	n, err := bcEncoding.Decode(dst, src)
+	if err != nil {
+		return nil, err
+	}
+	return dst[:n], nil
+}

vendor/golang.org/x/crypto/bcrypt/bcrypt.go

@@ -0,0 +1,295 @@
+// Copyright 2011 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package bcrypt implements Provos and Mazières's bcrypt adaptive hashing
+// algorithm. See http://www.usenix.org/event/usenix99/provos/provos.pdf
+package bcrypt // import "golang.org/x/crypto/bcrypt"
+
+// The code is a port of Provos and Mazières's C implementation.
+import (
+	"crypto/rand"
+	"crypto/subtle"
+	"errors"
+	"fmt"
+	"io"
+	"strconv"
+
+	"golang.org/x/crypto/blowfish"
+)
+
+const (
+	MinCost     int = 4  // the minimum allowable cost as passed in to GenerateFromPassword
+	MaxCost     int = 31 // the maximum allowable cost as passed in to GenerateFromPassword
+	DefaultCost int = 10 // the cost that will actually be set if a cost below MinCost is passed into GenerateFromPassword
+)
+
+// The error returned from CompareHashAndPassword when a password and hash do
+// not match.
+var ErrMismatchedHashAndPassword = errors.New("crypto/bcrypt: hashedPassword is not the hash of the given password")
+
+// The error returned from CompareHashAndPassword when a hash is too short to
+// be a bcrypt hash.
+var ErrHashTooShort = errors.New("crypto/bcrypt: hashedSecret too short to be a bcrypted password")
+
+// The error returned from CompareHashAndPassword when a hash was created with
+// a bcrypt algorithm newer than this implementation.
+type HashVersionTooNewError byte
+
+func (hv HashVersionTooNewError) Error() string {
+	return fmt.Sprintf("crypto/bcrypt: bcrypt algorithm version '%c' requested is newer than current version '%c'", byte(hv), majorVersion)
+}
+
+// The error returned from CompareHashAndPassword when a hash starts with something other than '$'
+type InvalidHashPrefixError byte
+
+func (ih InvalidHashPrefixError) Error() string {
+	return fmt.Sprintf("crypto/bcrypt: bcrypt hashes must start with '$', but hashedSecret started with '%c'", byte(ih))
+}
+
+type InvalidCostError int
+
+func (ic InvalidCostError) Error() string {
+	return fmt.Sprintf("crypto/bcrypt: cost %d is outside allowed range (%d,%d)", int(ic), int(MinCost), int(MaxCost))
+}
+
+const (
+	majorVersion       = '2'
+	minorVersion       = 'a'
+	maxSaltSize        = 16
+	maxCryptedHashSize = 23
+	encodedSaltSize    = 22
+	encodedHashSize    = 31
+	minHashSize        = 59
+)
+
+// magicCipherData is an IV for the 64 Blowfish encryption calls in
+// bcrypt(). It's the string "OrpheanBeholderScryDoubt" in big-endian bytes.
+var magicCipherData = []byte{
+	0x4f, 0x72, 0x70, 0x68,
+	0x65, 0x61, 0x6e, 0x42,
+	0x65, 0x68, 0x6f, 0x6c,
+	0x64, 0x65, 0x72, 0x53,
+	0x63, 0x72, 0x79, 0x44,
+	0x6f, 0x75, 0x62, 0x74,
+}
+
+type hashed struct {
+	hash  []byte
+	salt  []byte
+	cost  int // allowed range is MinCost to MaxCost
+	major byte
+	minor byte
+}
+
+// GenerateFromPassword returns the bcrypt hash of the password at the given
+// cost. If the cost given is less than MinCost, the cost will be set to
+// DefaultCost, instead. Use CompareHashAndPassword, as defined in this package,
+// to compare the returned hashed password with its cleartext version.
+func GenerateFromPassword(password []byte, cost int) ([]byte, error) {
+	p, err := newFromPassword(password, cost)
+	if err != nil {
+		return nil, err
+	}
+	return p.Hash(), nil
+}
+
+// CompareHashAndPassword compares a bcrypt hashed password with its possible
+// plaintext equivalent. Returns nil on success, or an error on failure.
+func CompareHashAndPassword(hashedPassword, password []byte) error {
+	p, err := newFromHash(hashedPassword)
+	if err != nil {
+		return err
+	}
+
+	otherHash, err := bcrypt(password, p.cost, p.salt)
+	if err != nil {
+		return err
+	}
+
+	otherP := &hashed{otherHash, p.salt, p.cost, p.major, p.minor}
+	if subtle.ConstantTimeCompare(p.Hash(), otherP.Hash()) == 1 {
+		return nil
+	}
+
+	return ErrMismatchedHashAndPassword
+}
+
+// Cost returns the hashing cost used to create the given hashed
+// password. When, in the future, the hashing cost of a password system needs
+// to be increased in order to adjust for greater computational power, this
+// function allows one to establish which passwords need to be updated.
+func Cost(hashedPassword []byte) (int, error) {
+	p, err := newFromHash(hashedPassword)
+	if err != nil {
+		return 0, err
+	}
+	return p.cost, nil
+}
+
+func newFromPassword(password []byte, cost int) (*hashed, error) {
+	if cost < MinCost {
+		cost = DefaultCost
+	}
+	p := new(hashed)
+	p.major = majorVersion
+	p.minor = minorVersion
+
+	err := checkCost(cost)
+	if err != nil {
+		return nil, err
+	}
+	p.cost = cost
+
+	unencodedSalt := make([]byte, maxSaltSize)
+	_, err = io.ReadFull(rand.Reader, unencodedSalt)
+	if err != nil {
+		return nil, err
+	}
+
+	p.salt = base64Encode(unencodedSalt)
+	hash, err := bcrypt(password, p.cost, p.salt)
+	if err != nil {
+		return nil, err
+	}
+	p.hash = hash
+	return p, err
+}
+
+func newFromHash(hashedSecret []byte) (*hashed, error) {
+	if len(hashedSecret) < minHashSize {
+		return nil, ErrHashTooShort
+	}
+	p := new(hashed)
+	n, err := p.decodeVersion(hashedSecret)
+	if err != nil {
+		return nil, err
+	}
+	hashedSecret = hashedSecret[n:]
+	n, err = p.decodeCost(hashedSecret)
+	if err != nil {
+		return nil, err
+	}
+	hashedSecret = hashedSecret[n:]
+
+	// The "+2" is here because we'll have to append at most 2 '=' to the salt
+	// when base64 decoding it in expensiveBlowfishSetup().
+	p.salt = make([]byte, encodedSaltSize, encodedSaltSize+2)
+	copy(p.salt, hashedSecret[:encodedSaltSize])
+
+	hashedSecret = hashedSecret[encodedSaltSize:]
+	p.hash = make([]byte, len(hashedSecret))
+	copy(p.hash, hashedSecret)
+
+	return p, nil
+}
+
+func bcrypt(password []byte, cost int, salt []byte) ([]byte, error) {
+	cipherData := make([]byte, len(magicCipherData))
+	copy(cipherData, magicCipherData)
+
+	c, err := expensiveBlowfishSetup(password, uint32(cost), salt)
+	if err != nil {
+		return nil, err
+	}
+
+	for i := 0; i < 24; i += 8 {
+		for j := 0; j < 64; j++ {
+			c.Encrypt(cipherData[i:i+8], cipherData[i:i+8])
+		}
+	}
+
+	// Bug compatibility with C bcrypt implementations. We only encode 23 of
+	// the 24 bytes encrypted.
+	hsh := base64Encode(cipherData[:maxCryptedHashSize])
+	return hsh, nil
+}
+
+func expensiveBlowfishSetup(key []byte, cost uint32, salt []byte) (*blowfish.Cipher, error) {
+	csalt, err := base64Decode(salt)
+	if err != nil {
+		return nil, err
+	}
+
+	// Bug compatibility with C bcrypt implementations. They use the trailing
+	// NULL in the key string during expansion.
+	// We copy the key to prevent changing the underlying array.
+	ckey := append(key[:len(key):len(key)], 0)
+
+	c, err := blowfish.NewSaltedCipher(ckey, csalt)
+	if err != nil {
+		return nil, err
+	}
+
+	var i, rounds uint64
+	rounds = 1 << cost
+	for i = 0; i < rounds; i++ {
+		blowfish.ExpandKey(ckey, c)
+		blowfish.ExpandKey(csalt, c)
+	}
+
+	return c, nil
+}
+
+func (p *hashed) Hash() []byte {
+	arr := make([]byte, 60)
+	arr[0] = '$'
+	arr[1] = p.major
+	n := 2
+	if p.minor != 0 {
+		arr[2] = p.minor
+		n = 3
+	}
+	arr[n] = '$'
+	n++
+	copy(arr[n:], []byte(fmt.Sprintf("%02d", p.cost)))
+	n += 2
+	arr[n] = '$'
+	n++
+	copy(arr[n:], p.salt)
+	n += encodedSaltSize
+	copy(arr[n:], p.hash)
+	n += encodedHashSize
+	return arr[:n]
+}
+
+func (p *hashed) decodeVersion(sbytes []byte) (int, error) {
+	if sbytes[0] != '$' {
+		return -1, InvalidHashPrefixError(sbytes[0])
+	}
+	if sbytes[1] > majorVersion {
+		return -1, HashVersionTooNewError(sbytes[1])
+	}
+	p.major = sbytes[1]
+	n := 3
+	if sbytes[2] != '$' {
+		p.minor = sbytes[2]
+		n++
+	}
+	return n, nil
+}
+
+// sbytes should begin where decodeVersion left off.
+func (p *hashed) decodeCost(sbytes []byte) (int, error) {
+	cost, err := strconv.Atoi(string(sbytes[0:2]))
+	if err != nil {
+		return -1, err
+	}
+	err = checkCost(cost)
+	if err != nil {
+		return -1, err
+	}
+	p.cost = cost
+	return 3, nil
+}
+
+func (p *hashed) String() string {
+	return fmt.Sprintf("&{hash: %#v, salt: %#v, cost: %d, major: %c, minor: %c}", string(p.hash), p.salt, p.cost, p.major, p.minor)
+}
+
+func checkCost(cost int) error {
+	if cost < MinCost || cost > MaxCost {
+		return InvalidCostError(cost)
+	}
+	return nil
+}

vendor/modules.txt

@@ -32,6 +32,8 @@ github.com/agext/levenshtein
 # github.com/agl/ed25519 v0.0.0-20170116200512-5312a6153412
 github.com/agl/ed25519
 github.com/agl/ed25519/edwards25519
+# github.com/apparentlymart/go-cidr v1.0.1
+github.com/apparentlymart/go-cidr/cidr
 # github.com/apparentlymart/go-textseg/v12 v12.0.0
 github.com/apparentlymart/go-textseg/v12/textseg
 # github.com/beorn7/perks v1.0.1
@@ -201,6 +203,8 @@ github.com/google/go-cmp/cmp/internal/value
 github.com/google/gofuzz
 # github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510
 github.com/google/shlex
+# github.com/google/uuid v1.1.1
+github.com/google/uuid
 # github.com/googleapis/gnostic v0.4.1
 github.com/googleapis/gnostic/compiler
 github.com/googleapis/gnostic/extensions
@@ -211,9 +215,16 @@ github.com/gorilla/mux
 github.com/grpc-ecosystem/go-grpc-middleware
 # github.com/grpc-ecosystem/grpc-opentracing v0.0.0-20180507213350-8e809c8a8645
 github.com/grpc-ecosystem/grpc-opentracing/go/otgrpc
-# github.com/hashicorp/hcl/v2 v2.6.0
+# github.com/hashicorp/go-cty-funcs v0.0.0-20200930094925-2721b1e36840
+github.com/hashicorp/go-cty-funcs/cidr
+github.com/hashicorp/go-cty-funcs/crypto
+github.com/hashicorp/go-cty-funcs/encoding
+github.com/hashicorp/go-cty-funcs/uuid
+# github.com/hashicorp/hcl/v2 v2.8.1
 github.com/hashicorp/hcl/v2
 github.com/hashicorp/hcl/v2/ext/customdecode
+github.com/hashicorp/hcl/v2/ext/tryfunc
+github.com/hashicorp/hcl/v2/ext/typeexpr
 github.com/hashicorp/hcl/v2/ext/userfunc
 github.com/hashicorp/hcl/v2/gohcl
 github.com/hashicorp/hcl/v2/hclsimple
@@ -352,7 +363,7 @@ github.com/xeipuuv/gojsonpointer
 github.com/xeipuuv/gojsonreference
 # github.com/xeipuuv/gojsonschema v1.2.0
 github.com/xeipuuv/gojsonschema
-# github.com/zclconf/go-cty v1.4.0
+# github.com/zclconf/go-cty v1.7.1
 github.com/zclconf/go-cty/cty
 github.com/zclconf/go-cty/cty/convert
 github.com/zclconf/go-cty/cty/function
@@ -367,6 +378,7 @@ go.opencensus.io/trace
 go.opencensus.io/trace/internal
 go.opencensus.io/trace/tracestate
 # golang.org/x/crypto v0.0.0-20201117144127-c1f2f97bffc9
+golang.org/x/crypto/bcrypt
 golang.org/x/crypto/blowfish
 golang.org/x/crypto/chacha20
 golang.org/x/crypto/curve25519
@@ -397,7 +409,7 @@ golang.org/x/oauth2/google
 golang.org/x/oauth2/internal
 golang.org/x/oauth2/jws
 golang.org/x/oauth2/jwt
-# golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208
+# golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9
 golang.org/x/sync/errgroup
 golang.org/x/sync/semaphore
 # golang.org/x/sys v0.0.0-20201013081832-0aaa2718063a