kics
kics copied to clipboard
Checkmarx
bug(terraform): merge with object changes input for kics
Having a merge() which contains an inline defined object seems to change the output of locals from ${local.common_tags} in the universal json format to local.common_tags.
Expected Behavior
Parsing scanning this terraform file
provider "aws" {
region = var.REGION
default_tags {
tags = local.common_tags
}
}
Generates this json which contains the expected result of "tags": "${local.common_tags}"
{
"document": [
{
"id": "d336f75d-98b9-4223-890c-96f53fade0a0",
"provider": {
"aws": {
"default_tags": {
"tags": "${local.common_tags}"
},
"region": "${var.REGION}"
}
},
"file": "/path/provider.tf"
}
]
}
(Which results are expected from KICS?)
Actual Behavior
Now we add a second tf file with a resource which contains a merge() of our local with another object..
provider.tf
provider "aws" {
region = var.REGION
default_tags {
tags = local.common_tags
}
}
main.tf
resource "aws_security_group" "bastion" {
name_prefix = "bastion-"
vpc_id = data.terraform_remote_state.scheduler.outputs.vpc_id
tags = merge(
local.common_tags,
{
Customer_Facing = "no"
Name = "bastion"
}
)
}
Note the json now says "tags": "local.common_tags" for the provider's default_tags, which is not expected.
{
"document": [
{
"id": "60a116ce-2924-4d6c-b6e8-378e9f52e0b3",
"resource": {
"aws_security_group": {
"bastion": {
"name_prefix": "bastion-",
"tags": "${merge(\n local.common_tags,\n {\n Customer_Facing = \"no\"\n Name = \"bastion\"\n }\n )}",
"vpc_id": "${data.terraform_remote_state.scheduler.outputs.vpc_id}"
}
}
},
"file": "/path/main.tf"
},
{
"file": "/path/provider.tf",
"id": "3a1cbbab-6c48-403d-ad99-880ccf5662cc",
"provider": {
"aws": {
"default_tags": {
"tags": "local.common_tags"
},
"region": "${var.REGION}"
}
}
}
]
}
Testing has shows this is occurs when the merge() is present. It also must be in a second file, if the resource and the provider block are in the same file this doesn't occur.
