Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unresolvable data references can cause a merged tag set to be null #205

Open
ajkerrigan opened this issue Jul 15, 2024 · 2 comments
Open

Unresolvable data references can cause a merged tag set to be null #205

ajkerrigan opened this issue Jul 15, 2024 · 2 comments

Comments

@ajkerrigan
Copy link
Member

It looks like using merge() can produce an empty map if any of its elements have a direct reference that can't be resolved at scan time. For example, given the following Terraform file:

# main.tf

data "aws_region" "current" {}

variable "tags" {
  type = map(string)
  default = {
    VarTag1 = data.aws_region.current.name
  }
}

locals {
  tags = {
    LocalTag1 = data.aws_region.current.name
  }
}

resource "aws_s3_bucket" "ok1" {
  bucket = "ok1"

  tags = merge(
    var.tags,
    local.tags
  )
}

resource "aws_s3_bucket" "ok2" {
  bucket = "ok2"

  tags = {
    "ResourceTag1" = data.aws_region.current.name
  }
}

resource "aws_s3_bucket" "bug1" {
  bucket = "bug1"

  tags = merge(
    var.tags,
    local.tags,
    {
      "ResourceTag1" = data.aws_region.current.name
    }
  )
}

There are 3 buckets with tag definitions that refer to data.aws_region.current.name, which tfparse resolves to a null/empty value. The ok1 and ok2 buckets end up with tags that have null/empty values, but the bug1 bucket produces an entirely null set of tags.

Results of a tfparse.load_from_path() for this sample module 
{
    "aws_region": [
        {
            "__tfmeta": {
                "filename": "main.tf",
                "label": "aws_region",
                "line_end": 1,
                "line_start": 1,
                "path": "data.aws_region.current",
                "type": "data"
            },
            "id": "6b85d52d-5153-48bc-849e-2b8db532fb52"
        }
    ],
    "aws_s3_bucket": [
        {
            "__tfmeta": {
                "filename": "main.tf",
                "label": "aws_s3_bucket",
                "line_end": 43,
                "line_start": 33,
                "path": "aws_s3_bucket.bug1",
                "type": "resource"
            },
            "bucket": "bug1",
            "id": "adb04e60-9d00-46a0-b876-a79be0925e40",
            "tags": null
        },
        {
            "__tfmeta": {
                "filename": "main.tf",
                "label": "aws_s3_bucket",
                "line_end": 23,
                "line_start": 16,
                "path": "aws_s3_bucket.ok1",
                "type": "resource"
            },
            "bucket": "ok1",
            "id": "a0de7f46-546a-46b3-89a1-02a5906111f6",
            "tags": {
                "LocalTag1": null,
                "VarTag1": null
            }
        },
        {
            "__tfmeta": {
                "filename": "main.tf",
                "label": "aws_s3_bucket",
                "line_end": 31,
                "line_start": 25,
                "path": "aws_s3_bucket.ok2",
                "type": "resource"
            },
            "bucket": "ok2",
            "id": "8581a2e6-8016-4f4b-8885-0d56bb973d85",
            "tags": {
                "ResourceTag1": null
            }
        }
    ],
    "locals": [
        {
            "__tfmeta": {
                "filename": "main.tf",
                "line_end": 14,
                "line_start": 10,
                "path": "locals"
            },
            "id": "6ac38550-c83e-4fa4-bc8c-04cc0303a257",
            "tags": {
                "LocalTag1": null
            }
        }
    ],
    "variable": [
        {
            "__tfmeta": {
                "filename": "main.tf",
                "label": "tags",
                "line_end": 8,
                "line_start": 3,
                "path": "variable.tags"
            },
            "default": {
                "VarTag1": null
            },
            "id": "8ca4495d-36da-4dfc-bad0-cd78ff373fb7",
            "type": null
        }
    ]
}
@albertodonato
Copy link
Contributor

albertodonato commented Jul 17, 2024
edited
Loading

The fact that the merge() comes back as null is due to the HCL library not calling the function if arguments values have error (e.g. unknown variable value as in this case), which happens here .

For the specific case with the current region name, aquasecurity/trivy#7184 fixes the issue by adding a value to the presets.

albertodonato added a commit to albertodonato/tfparse that referenced this issue Jul 17, 2024
@albertodonato
chore: update trivy version (fixes cloud-custodian#205)
2e9bc67
@ajkerrigan
Copy link
Member Author

Reopening to keep this as a tracking issue since the region preset only works around a subset of cases. I'm not clear on the best way forward though. Treating unresolvable values as individually null (so they could pass through a merge) is one option. Another might be to allow users to provide explicit presets at runtime, as one of the trivy maintainers suggested here.

@ajkerrigan ajkerrigan reopened this Sep 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@albertodonato @ajkerrigan