cli icon indicating copy to clipboard operation
cli copied to clipboard

Published 20 hours ago verified publisher icon terraform-compliance

Not able to read a property value supplied via variable inside provider block

Open vrbcntrl opened this issue 4 years ago • 9 comments

Hi @eerkunt ,

Today, we ran into an issue where in when we are checking for restricted regions, the test is FAILED even though the condition is met.

my template:

main.tf

provider "aws" {
  region = var.aws_region
  skip_requesting_account_id = true
  skip_credentials_validation = true
}
resource "aws_autoscaling_group" "bar" {
  name                 = "terraform-asg-example"
  min_size             = 1
  max_size             = 2

  lifecycle {
    create_before_destroy = true
  }
}

in the above template, the region value is passed from a variables.tf file shown below

variables.tf

variable "aws_region" {
  type = string
  description = "Name of the AWS region"
  default = "us-east-1"
}

my test case:

  Scenario: restricted regions test
        Given I have aws provider configured
        Then it must contain region
	And its value must be us-east-1

test results:

image

attached the tf plan json region_test.json.txt

terraform version: 0.12.4 aws provider : 2.56.0 tc version : 1.1.15

running on windows 10 with python 3.7.3

vrbcntrl avatar Apr 09 '20 19:04 vrbcntrl

Hi!

Having the same issue using google as provider. Any updates on when this maybe fixed?

Thx!

//BR Jens H

jenshonkan84 avatar Apr 30 '20 07:04 jenshonkan84

Sorry too many things at the same time for the last 2 months. Just reproduced the problem, I will have a look on this sometime today hopefully.

eerkunt avatar Apr 30 '20 09:04 eerkunt

This is because there is no interpolation in plan.out for providers - which make things quite complicated.

eerkunt avatar Apr 30 '20 10:04 eerkunt

The problem is described in https://github.com/hashicorp/terraform/issues/24059.

Unfortunately this depends on terraform this time.

eerkunt avatar Apr 30 '20 10:04 eerkunt

Ok. But is there a way to look if a variable is set?

Pseudo code:

Scenario: Provider must have correct region defined
    Given I have variables defined
    Then it must contain REGION
    And its value must match the "^europe-(north1|west(1|3|4))$" regex

Then in the provider you can have:

Scenario: Provider must have correct region defined
    Given I have google provider configured
    Then it must contain region
    And its value must match the "var.REGION" regex

I don't know if this is a possible workaround?

//BR Jens

jenshonkan84 avatar Apr 30 '20 10:04 jenshonkan84

If a variable is set, yes, this will work. You can even use Scenario Preconditions with that. The problems starts when it is not a variable.. What if it is a local ? or coming from a data or any resource output. We can still write a test for these cases, but we can't write a test saying provider.google.region value will match ^europe-(north1|west(1|3|4))$ independent of where it comes from.

eerkunt avatar Apr 30 '20 12:04 eerkunt

Ok good news. :)

I have done some tests but i cannot get it to work:

Scenario: Restrict Provider region workaround Given I have variables defined When it contains zone Then its value must match the "^europe-(north1|west(1|3|4))-(a|b|c)$" regex

Output: Scenario: Restrict Provider region workaround Given I have variables defined * SKIPPING: Skipping the step since variable type does not have zone property. When it contains zone Then its value must match the "^europe-(north1|west(1|3|4))-(a|b|c)$" regex

I dont know if I have made a config error?

//BR Jens H

jenshonkan84 avatar May 04 '20 06:05 jenshonkan84

Hi, sorry for the late reply.

For the variable part, I think the test should be structured like below ;

  Scenario: restricted regions test
    Given I have aws_region variable configured
    Then its value must match the "^europe-(north1|west(1|3|4))$" regex

eerkunt avatar May 24 '20 16:05 eerkunt

I found something within an Azure provider block, this may be just me not understanding how to create the correct Scenario however:

test code:

Feature: Azure Provider

  Scenario: Ensure that Azure Provider constraint is at least set to the minimum version
    Given I have azurerm provider configured
    When it contains version
    Then its value must be greater than 2.0.0

  Scenario: Ensure that Azure AD Provider constraint is at least set to a minimum version
    Given I have azuread provider configured
    When it contains version
    Then its value must be greater than 0.6.0

Terraform code:

provider "azurerm" {
  version                 = "=1.41.0"
  alias                   = "hub"
  subscription_id         = var.hub_subscription
  tenant_id               = var.tenant_id
  client_id               = var.client_id
  client_certificate_path = var.client_certificate_path
}

provider "azuread" {
  version                 = "=0.3.1"
  alias                   = "ad_lookup"
  subscription_id         = var.subscription_id
  tenant_id               = var.tenant_id
  client_id               = var.client_id
  client_certificate_path = var.client_certificate_path
}

Here we can see both providers are setting an incorrect version, however the tests are skipped:

   Scenario: Ensure that Azure Provider constraint is at least set to the minimum version
        Given I have azurerm provider configured
	SKIPPING: Skipping the step since provider type does not have version property.
        When it contains version
        Then its value must be greater than 2.0.0

    Scenario: Ensure that Azure AD Provider constraint is at least set to a minimum version
        Given I have azuread provider configured
	SKIPPING: Skipping the step since provider type does not have version property.
        When it contains version
        Then its value must be greater than 0.6.0

Is this just me mixing this up?

Tf version: 0.12.28 TC version: 1.0.58

twllight avatar Jul 08 '20 17:07 twllight