kics icon indicating copy to clipboard operation
kics copied to clipboard

Published 20 hours ago verified publisher icon Checkmarx

Terraform locals aren't evaluated in the payload by KICS

Open jycamier opened this issue 3 years ago • 3 comments

Here's an simple query which valide the existance of a bucket tag in a ressource aws_s3_bucket

package Cx  
  
import data.generic.common as common_lib  
  
CxPolicy[result] {  
   resource := input.document[i].resource.aws_s3_bucket[name]  
  
   not common_lib.valid_key(resource.tags, "bucket")

   result := {  
      "documentId": input.document[i].id,  
      "searchKey": sprintf("aws_s3_bucket[{{%s}}].tags.bucket", [name]),  
      "issueType": "MissingAttribute",  
      "keyExpectedValue": sprintf("aws_s3_bucket[%s].tags.bucket is set and not null", [name]),  
      "keyActualValue": sprintf("aws_s3_bucket[%s].tags.bucket is missing or null", [name]),  
   }  
}

When I use a variable in Terraform, the payload computed by KICS contains an evaluated resource tags.

## file nagative3.tf

variable "tags" {
  type = map(string)
  default = {
    bucket = "kfc"
  }
}

resource "aws_s3_bucket" "negative2" {
  bucket = "kfc"

  tags = var.tags
}


{
	"document": [
		{
			"id": "f22a0590-a2e0-46fc-884f-d75ffdcd0834",
			"resource": {
				"aws_s3_bucket": {
					"negative2": {
						"bucket": "kfc",
						"tags": {
							"bucket": "kfc"
						}
					}
				}
			},
			"variable": {
				"tags": {
					"default": {
						"bucket": "kfc"
					},
					"type": "${map(string)}"
				}
			},
			"file": "/Users/jycamier/workspace/kics/custom_queries/check_s3_mandatory_tag/test/negative2.tf"
		}
	]
}

The Output

{
    "CxPolicy": []
}

However, it seams that terraform locals aren't interpreted by KICS for the payload

Here's an exemple with locals :

## file nagative2.tf

locals {
  tags = {
    bucket  = "kfc"
  }
}

resource "aws_s3_bucket" "negative2" {
  bucket = "kfc"

  tags = local.tags
}

The paylaod looks like that :

{
	"document": [
		{
			"id": "e8ba3469-38b6-4cf1-95f4-bf92ce4b0a44",
			"locals": {
				"tags": {
					"bucket": "kfc"
				}
			},
			"resource": {
				"aws_s3_bucket": {
					"negative2": {
						"bucket": "kfc",
						"tags": "${local.tags}"
					}
				}
			},
			"file": "/Users/jycamier/workspace/kics/custom_queries/check_s3_mandatory_tag/test/negative2.tf"
		}
	]
}

The output :

{
    "CxPolicy": [
        {
            "documentId": "023abda0-de0a-45c9-9594-b451dc51a1cf",
            "issueType": "MissingAttribute",
            "keyActualValue": "aws_s3_bucket[negative2].tags.bucket is missing or null",
            "keyExpectedValue": "aws_s3_bucket[negative2].tags.bucket is set and not null",
            "searchKey": "aws_s3_bucket[{{negative2}}].tags.bucket"
        }
    ]
}

jycamier avatar Feb 14 '22 11:02 jycamier

Hi @jycamier, hope you are doing well.

Currently we don't support terraform locals due to it's parsing complexity, but we'll research it and check if it can be added in the future.

joaorufi avatar Feb 14 '22 18:02 joaorufi

Hi @joaorufi

Thanks for your answer. So, I hope to see this new feature very soon.

jycamier avatar Feb 15 '22 12:02 jycamier

Hi ! Any updates on this ?

gforien avatar Aug 12 '22 10:08 gforien