config-lint icon indicating copy to clipboard operation
config-lint copied to clipboard

Published 20 hours ago verified publisher icon stelligent

Terraform 12 string interpolation within heredocs break entire doc

Open milldr opened this issue 4 years ago • 5 comments

If a heredoc for a policy or alike has string interpolation, it will resolve to be null. Removing the variable will behave as expected.

When a policy has a string interpolation in it, config-lint always returns an OK.

Example:

resource "aws_sqs_queue_policy" "policy_version_set_incorrectly" {
  queue_url = aws_sqs_queue.test_queue.id

  policy = <<EOF
{
  "Version": "2008-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "sqs:SendMessage",
      "Resource": "${aws_sqs_queue.test_queue.arn}"
    }
  ]
}
EOF
}

resolves to:

  {
    "ID": "policy_version_set_incorrectly",
    "Type": "aws_sqs_queue_policy",
    "Category": "resource",
    "Properties": {
      "policy": null,
      "queue_url": "UNDEFINED"
    },
    "Filename": "testdata/builtin/terraform12/aws/sqs_queue_policy/policy_version.tf",
    "LineNumber": 25
  }

Change "Resource": "${aws_sqs_queue.test_queue.arn}" to "Resource": "#{aws_sqs_queue.test_queue.arn}" and now the resource (correctly) resolves to

  {
    "ID": "policy_version_set_incorrectly",
    "Type": "aws_sqs_queue_policy",
    "Category": "resource",
    "Properties": {
      "policy": {
        "Statement": [
          {
            "Action": "sqs:SendMessage",
            "Effect": "Allow",
            "Resource": "#{aws_sqs_queue.test_queue.arn}"
          }
        ],
        "Version": "2008-10-17"
      },
      "queue_url": "UNDEFINED"
    },
    "Filename": "testdata/builtin/terraform12/aws/sqs_queue_policy/policy_version.tf",
    "LineNumber": 25
  }

milldr avatar Mar 05 '20 19:03 milldr

reopening this. the bug isnt resolved, but instead we found a workaround for our use case. will come back to this after higher priority items.

milldr avatar Mar 05 '20 21:03 milldr

for reference, the mentioned workaround is for #113

milldr avatar Mar 05 '20 21:03 milldr

I dug into this a little and found that variables that are determined after a deploy (like aws_sqs_queue.test_queue.arn) cause the entire JSON block to be "undefined"/nil.

Ideally we'd want these variables to resolve as "UNDEFINED", or even better the variable name could be kept in place so the name could be used for matching in rules.

kmonihen avatar Apr 21 '20 17:04 kmonihen

If there is a string interpolation in the Resource definition, the test always returns an OK.

twellspring avatar Jun 25 '20 18:06 twellspring

Found a customer rule that is specifically looking to see if a particular parameter contains a variable. So hopefully we can fix this such that it still sees the variable,

twellspring avatar Jun 25 '20 22:06 twellspring