From accaa8d027fad53741aabba95397c83e5325aad4 Mon Sep 17 00:00:00 2001
From: Daniel Schmidt <danielmschmidt92@gmail.com>
Date: Fri, 17 Oct 2025 13:19:47 +0200
Subject: [PATCH] also check against action references in depends_on during
 config parsing

---
 internal/configs/config_test.go               | 16 +++++
 internal/configs/depends_on.go                | 12 +++-
 .../action-in-resource-depends_on.tf          | 11 +++
 .../terraform/context_plan_actions_test.go    | 69 -------------------
 4 files changed, 38 insertions(+), 70 deletions(-)
 create mode 100644 internal/configs/testdata/invalid-modules/action-in-depends_on/action-in-resource-depends_on.tf

diff --git a/internal/configs/config_test.go b/internal/configs/config_test.go
index 4491aa2b8b..8153656816 100644
--- a/internal/configs/config_test.go
+++ b/internal/configs/config_test.go
@@ -581,3 +581,19 @@ func TestConfigImportProviderWithNoResourceProvider(t *testing.T) {
 Use the provider argument in the target resource block to configure the provider for a resource with explicit provider configuration.`,
 	})
 }
+
+func TestConfigActionInResourceDependsOn(t *testing.T) {
+	src, err := os.ReadFile("testdata/invalid-modules/action-in-depends_on/action-in-resource-depends_on.tf")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	parser := testParser(map[string]string{
+		"main.tf": string(src),
+	})
+
+	_, diags := parser.LoadConfigFile("main.tf")
+	assertExactDiagnostics(t, diags, []string{
+		`main.tf:5,17-42: Invalid depends_on Action Reference; The depends_on attribute cannot reference action blocks directly. You must reference a resource or data source instead.`,
+	})
+}
diff --git a/internal/configs/depends_on.go b/internal/configs/depends_on.go
index 9e3d23ff03..56de31d288 100644
--- a/internal/configs/depends_on.go
+++ b/internal/configs/depends_on.go
@@ -17,8 +17,18 @@ func DecodeDependsOn(attr *hcl.Attribute) ([]hcl.Traversal, hcl.Diagnostics) {
 
 		traversal, travDiags := hcl.AbsTraversalForExpr(expr)
 		diags = append(diags, travDiags...)
+
 		if len(traversal) != 0 {
-			ret = append(ret, traversal)
+			if traversal.RootName() == "action" {
+				diags = append(diags, &hcl.Diagnostic{
+					Severity: hcl.DiagError,
+					Summary:  "Invalid depends_on Action Reference",
+					Detail:   "The depends_on attribute cannot reference action blocks directly. You must reference a resource or data source instead.",
+					Subject:  expr.Range().Ptr(),
+				})
+			} else {
+				ret = append(ret, traversal)
+			}
 		}
 	}
 
diff --git a/internal/configs/testdata/invalid-modules/action-in-depends_on/action-in-resource-depends_on.tf b/internal/configs/testdata/invalid-modules/action-in-depends_on/action-in-resource-depends_on.tf
new file mode 100644
index 0000000000..4dd873a59d
--- /dev/null
+++ b/internal/configs/testdata/invalid-modules/action-in-depends_on/action-in-resource-depends_on.tf
@@ -0,0 +1,11 @@
+action "aws_action" "example" {
+}
+
+resource "aws_instance" "web" {
+  depends_on = [action.aws_action.example]
+  ami        = "ami-1234"
+  security_groups = [
+    "foo",
+    "bar",
+  ]
+}
diff --git a/internal/terraform/context_plan_actions_test.go b/internal/terraform/context_plan_actions_test.go
index 3a04e6652c..ecb6d4386a 100644
--- a/internal/terraform/context_plan_actions_test.go
+++ b/internal/terraform/context_plan_actions_test.go
@@ -319,75 +319,6 @@ output "my_output2" {
 				},
 			},
 
-			"actions can't be used in depends_on": {
-				module: map[string]string{
-					"main.tf": `
-action "test_action" "my_action" {
-  config {
-    attr = "value"
-  }
-}
-resource "test_object" "a" {
-  depends_on = [action.test_action.my_action]
-  lifecycle {
-    action_trigger {
-      events = [before_create]
-      actions = [action.test_action.my_action]
-    }
-  }
-}
-`,
-				},
-				expectValidateDiagnostics: func(m *configs.Config) tfdiags.Diagnostics {
-					return tfdiags.Diagnostics{}.Append(
-						&hcl.Diagnostic{
-							Severity: hcl.DiagError,
-							Summary:  "Invalid depends_on reference",
-							Detail:   "Actions can not be referenced in depends_on. Use depends_on on the resource that triggers the action instead.",
-							Subject: &hcl.Range{
-								Filename: filepath.Join(m.Module.SourceDir, "main.tf"),
-								Start:    hcl.Pos{Line: 8, Column: 17, Byte: 117},
-								End:      hcl.Pos{Line: 8, Column: 45, Byte: 145},
-							},
-						})
-				},
-			},
-
-			"action instances can't be used in depends_on": {
-				module: map[string]string{
-					"main.tf": `
-action "test_action" "my_action" {
-  count = 3
-  config {
-    attr = "value"
-  }
-}
-resource "test_object" "a" {
-  depends_on = [action.test_action.my_action[1]]
-  lifecycle {
-    action_trigger {
-      events = [before_create]
-      actions = [action.test_action.my_action[1]]
-    }
-  }
-}
-`,
-				},
-				expectValidateDiagnostics: func(m *configs.Config) tfdiags.Diagnostics {
-					return tfdiags.Diagnostics{}.Append(
-						&hcl.Diagnostic{
-							Severity: hcl.DiagError,
-							Summary:  "Invalid depends_on reference",
-							Detail:   "Actions can not be referenced in depends_on. Use depends_on on the resource that triggers the action instead.",
-							Subject: &hcl.Range{
-								Filename: filepath.Join(m.Module.SourceDir, "main.tf"),
-								Start:    hcl.Pos{Line: 9, Column: 17, Byte: 129},
-								End:      hcl.Pos{Line: 9, Column: 48, Byte: 160},
-							},
-						})
-				},
-			},
-
 			"destroy run": {
 				module: map[string]string{
 					"main.tf": `