Does Trivy correctly handle variables in terraform configuration files? #7731

ledmonster · 2024-10-14T16:17:55Z

ledmonster
Oct 14, 2024

Question

Does Trivy correctly handle variables in terraform configuration files?

When I run

trivy config .

I see many following errors on for_each blocks which use variables.

[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.

Does PR #7612 fix the issue?

Example

resource "google_project_iam_custom_role" "example" {
  role_id     = "example"
  title       = "example"
  description = "example"
  permissions = []
}

resource "google_project_iam_member" "example" {
  for_each = toset([
    google_project_iam_custom_role.example.name,
  ])
  project = "example"
  member  = "group:foo@example.com"
  role    = each.value
}

$ trivy config tmp/  --debug
2024-10-15T01:40:59+09:00	DEBUG	No plugins loaded
2024-10-15T01:40:59+09:00	DEBUG	Default config file "file_path=trivy.yaml" not found, using built in values
2024-10-15T01:40:59+09:00	DEBUG	Cache dir	dir="/home/junya/.cache/trivy"
2024-10-15T01:40:59+09:00	DEBUG	Cache dir	dir="/home/junya/.cache/trivy"
2024-10-15T01:40:59+09:00	DEBUG	Parsed severities	severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2024-10-15T01:40:59+09:00	INFO	[misconfig] Misconfiguration scanning is enabled
2024-10-15T01:40:59+09:00	DEBUG	[misconfig] Checks successfully loaded from disk
2024-10-15T01:40:59+09:00	DEBUG	Enabling misconfiguration scanners	scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2024-10-15T01:40:59+09:00	DEBUG	Initializing scan cache...	type="memory"
2024-10-15T01:41:00+09:00	DEBUG	Scanning files for misconfigurations...	scanner="Terraform"
2024-10-15T01:41:00+09:00	DEBUG	[terraform scanner] Scanning directory	file_path="."
2024-10-15T01:41:00+09:00	DEBUG	[rego] Overriding filesystem for checks
2024-10-15T01:41:00+09:00	DEBUG	[rego] Embedded libraries are loaded	count=13
2024-10-15T01:41:00+09:00	DEBUG	[rego] Embedded checks are loaded	count=508
2024-10-15T01:41:00+09:00	DEBUG	[rego] Checks from disk are loaded	count=521
2024-10-15T01:41:00+09:00	DEBUG	[rego] Overriding filesystem for data
2024-10-15T01:41:00+09:00	DEBUG	[terraform parser] Setting project/module root	module="root" file_path="."
2024-10-15T01:41:00+09:00	DEBUG	[terraform parser] Parsing FS	module="root" file_path="."
2024-10-15T01:41:00+09:00	DEBUG	[terraform parser] Parsing	module="root" file_path="main.tf"
2024-10-15T01:41:00+09:00	DEBUG	[terraform parser] Added file	module="root" file_path="main.tf"
2024-10-15T01:41:00+09:00	INFO	[terraform scanner] Scanning root module	file_path="."
2024-10-15T01:41:00+09:00	DEBUG	[terraform parser] Setting project/module root	module="root" file_path="."
2024-10-15T01:41:00+09:00	DEBUG	[terraform parser] Parsing FS	module="root" file_path="."
2024-10-15T01:41:00+09:00	DEBUG	[terraform parser] Parsing	module="root" file_path="main.tf"
2024-10-15T01:41:00+09:00	DEBUG	[terraform parser] Added file	module="root" file_path="main.tf"
2024-10-15T01:41:00+09:00	DEBUG	[terraform parser] Loading module	module="root" module="root"
2024-10-15T01:41:00+09:00	DEBUG	[terraform parser] Read block(s) and ignore(s)	module="root" blocks=2 ignores=0
2024-10-15T01:41:00+09:00	DEBUG	[terraform parser] Added input variables from tfvars	module="root" count=0
2024-10-15T01:41:00+09:00	DEBUG	[terraform parser] Working directory for module evaluation	module="root" file_path="/tmp"
2024-10-15T01:41:00+09:00	DEBUG	[terraform evaluator] Starting module evaluation...	path="."
2024-10-15T01:41:00+09:00	DEBUG	[terraform evaluator] Starting iteration	iteration=0
2024-10-15T01:41:00+09:00	DEBUG	[terraform evaluator] Starting iteration	iteration=1
2024-10-15T01:41:00+09:00	DEBUG	[terraform evaluator] Context unchanged	iteration=1
2024-10-15T01:41:00+09:00	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="google_project_iam_member.example" value="cty.NilVal"
2024-10-15T01:41:00+09:00	DEBUG	[terraform evaluator] Starting post-submodules evaluation...
2024-10-15T01:41:00+09:00	DEBUG	[terraform evaluator] Starting iteration	iteration=0
2024-10-15T01:41:00+09:00	DEBUG	[terraform evaluator] Starting iteration	iteration=1
2024-10-15T01:41:00+09:00	DEBUG	[terraform evaluator] Context unchanged	iteration=1
2024-10-15T01:41:00+09:00	DEBUG	[terraform evaluator] Module evaluation complete.
2024-10-15T01:41:00+09:00	DEBUG	[terraform parser] Finished parsing module	module="root"
2024-10-15T01:41:00+09:00	DEBUG	[terraform executor] Adapting modules...
2024-10-15T01:41:00+09:00	DEBUG	[terraform executor] Adapted module(s) into state data.	count=1
2024-10-15T01:41:00+09:00	DEBUG	[terraform executor] Using max routines	count=11
2024-10-15T01:41:01+09:00	DEBUG	[terraform executor] Initialized Go check(s).	count=482
2024-10-15T01:41:01+09:00	DEBUG	[rego] Scanning inputs	count=1
2024-10-15T01:41:01+09:00	DEBUG	[terraform executor] Finished applying rules.
2024-10-15T01:41:01+09:00	DEBUG	[terraform executor] Applying ignores...
2024-10-15T01:41:01+09:00	DEBUG	OS is not detected.
2024-10-15T01:41:01+09:00	INFO	Detected config files	num=1
2024-10-15T01:41:01+09:00	DEBUG	Scanned config file	file_path="."
2024-10-15T01:41:01+09:00	DEBUG	[vex] VEX filtering is disabled

If I remove toset or convert variable to a constant value, the ERROR disapears.

following two cases have no error logs.

resource "google_project_iam_custom_role" "example" {
  role_id     = "example"
  title       = "example"
  description = "example"
  permissions = []
}

resource "google_project_iam_member" "example" {
  for_each = [
    google_project_iam_custom_role.example.name,
  ]
  project = "example"
  member  = "group:foo@example.com"
  role    = each.value
}

resource "google_project_iam_member" "example" {
  for_each = toset([
    "roles/example",
  ])
  project = "example"
  member  = "group:foo@example.com"
  role    = each.value
}

Target

Filesystem

Scanner

Misconfiguration

Output Format

Table

Mode

Standalone

Operating System

Ubuntu 22.04

Version

$ trivy --version
Version: 0.56.2
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-06-13 06:11:38.07539382 +0000 UTC
  NextUpdate: 2024-06-13 12:11:38.075393419 +0000 UTC
  DownloadedAt: 2024-06-13 09:08:49.199239607 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2024-06-13 01:03:26.782257844 +0000 UTC
  NextUpdate: 2024-06-16 01:03:26.782257723 +0000 UTC
  DownloadedAt: 2024-06-13 05:25:38.436633939 +0000 UTC
Check Bundle:
  Digest: sha256:ae151c4eecf35c507d8f866121ddfbf46540b041bc7bca7cdd8d9f70ceb6f12c
  DownloadedAt: 2024-10-14 13:40:42.38290652 +0000 UTC

Answered by nikpivkin

Oct 15, 2024

Hi @ledmonster !

Trivy performs a static scan of the Terraform configuration, so it knows nothing about the state of the resources. In the example, you are referring to the name attribute of the google_project_iam_custom_role resource, about which nothing is known at the time of the scan, so it is null. Beforehand, we fill in the id of the resources and some other attributes. If I refer to the id attribute, which is equivalent to name, I don't get any errors:

resource "google_project_iam_member" "example" {
  for_each = toset([
    google_project_iam_custom_role.example.id,
  ])
  project = "example"
  member  = "group:foo@example.com"
  role    = each.value
}

View full answer

nikpivkin · 2024-10-15T04:40:21Z

nikpivkin
Oct 15, 2024
Maintainer

Hi @ledmonster !

Trivy performs a static scan of the Terraform configuration, so it knows nothing about the state of the resources. In the example, you are referring to the name attribute of the google_project_iam_custom_role resource, about which nothing is known at the time of the scan, so it is null. Beforehand, we fill in the id of the resources and some other attributes. If I refer to the id attribute, which is equivalent to name, I don't get any errors:

resource "google_project_iam_member" "example" {
  for_each = toset([
    google_project_iam_custom_role.example.id,
  ])
  project = "example"
  member  = "group:foo@example.com"
  role    = each.value
}

1 reply

ledmonster Oct 15, 2024
Author

Thank you for the useful tips. I'll try with id.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Does Trivy correctly handle variables in terraform configuration files? #7731

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Replies: 1 comment 1 reply

{{title}}

{{title}}

Select a reply

Does Trivy correctly handle variables in terraform configuration files? #7731

ledmonster Oct 14, 2024

Question

Example

Target

Scanner

Output Format

Mode

Operating System

Version

Replies: 1 comment · 1 reply

nikpivkin Oct 15, 2024 Maintainer

ledmonster Oct 15, 2024 Author

ledmonster
Oct 14, 2024

Replies: 1 comment 1 reply

nikpivkin
Oct 15, 2024
Maintainer

ledmonster Oct 15, 2024
Author