question: Was it intended for --workspace argument to pass terraform.workspace to tfsec

[haodeon]

When reading the docs it seems to suggest that --workspace is only for passing ignore limits.

However I was pleasantly surprised to find in my testing it can be used to specify which workspace tfsec should evaluate terraform.workspace to. This means tfsec can use the --workspace parameter to perform map lookups, evaluate conditional expressions and use as a value in functions like contains .

If I omit --workspace parameter from tfsec scans I find tfsec struggles to parse my configuration properly and gives misleading results. It completely fails to expand for_each loops that use maps that have terraform.workspace as the key.

It would be great if the docs could clarify --workspace has further use than ignore limits. Neither the original feature request nor the PR which implements --workspace mention this.

[owenrumney]

Hey @haodeon - I think you've stumbled on a side effect here, the intention of --workspace is entirely about ignores. I'm not sure why you have problems when not running without specifying a workspace, by default it uses --workspace default if nothing is specified, that should really be there.

I'll take a look at the side effects and try to document at some point. If you feel you have enough insight, PR's are always welcome :-)

[haodeon]

Hi @owenrumney,

We use terraform.workspace as a key to map variables. Instead of passing in a tfvars file, we just bake everything into variables.tf. We purposely omit default as a key in our maps so the default workspace will always fail to validate. A typical map variable for us will look like below.

variable "sql_vms" {
  type = map(list(object({
    name      = string
    log_disk  = number
    data_disk = number
    cluster   = bool
  })))
  description = "The name of the sql VMs to create"

  default = {
    test = [
      {
        name      = "testsql01"
        log_disk  = 3
        data_disk = 3
        cluster   = true
      },
      {
        name      = "testsql02"
        log_disk  = 3
        data_disk = 3
        cluster   = true
      },
      {
        name      = "testsql03"
        log_disk  = 1
        data_disk = 1
        cluster   = false
      }
    ]
}

We would then use this in a variety of ways but a common one would be a for_each expression like below.

for_each = { for vm in var.sql_vms[terraform.workspace] : vm.name => vm if vm.cluster == true }

Without --workspace test, I find tfsec fails to find any resources in the for_each. Once I provide --workspace test I get debug output like.

[debug:eval][root] Expanded block 'module.sqlvm' into 2 clones via 'for_each' attribute.

If tfsec by default uses --workspace default, it probably explains the issue I am seeing. Parsing the terraform configuration with terraform.workspace set to default will result in the HCL parser failing. However, I am not knowledgeable enough to say for sure.

I hope my examples can help you validate the behaviour I am seeing. I am happy to contribute a PR for docs if this is accepted behaviour.

[github-actions[bot]]

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.

[github-actions[bot]]

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.