Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(terraform): Handled nested unrendered vars #3853

Merged
merged 3 commits into from
Nov 13, 2022
Merged

fix(terraform): Handled nested unrendered vars #3853

merged 3 commits into from
Nov 13, 2022

Conversation

mikeurbanski1
Copy link
Contributor

@mikeurbanski1 mikeurbanski1 commented Nov 11, 2022
edited
Loading

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

Description

Adds logic to handle unrendered variables for custom policies that use nested attributes, like checking for a specific tag.

Previously, tags.component equals ... for tags = local.unrendered_var would fail because the value of that attribute is None, and this doesn't get picked up as an unrendered var. The fix is to check each attribute part (first tags, then tags.component) to see if it maps to an unrendered var.

Additionally, , a policy like tags.component exists would fail for tags = local.unrendered_var, because of the is_value_attribute_check condition. This PR modifies that behavior to only care about is_value_attribute_check when we are evaluating the literal attribute in the policy (tags.component, not just tags).

This PR also adds some explicit tests for simple and nested unrendered variables for conditions with and without value, since it seemed like those were missing. (They are just reflected in changed results of other tests for other things).

Checklist:

  • My code follows the style guidelines of this project
  • I have performed a self-review of my own code
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have added tests that prove my feature, policy, or fix is effective and works
  • New and existing tests pass locally with my changes
  • Any dependent changes have been merged and published in downstream modules

rotemavni
rotemavni approved these changes Nov 13, 2022
View reviewed changes
Copy link
Collaborator

@rotemavni rotemavni left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice!

gruebel
gruebel approved these changes Nov 13, 2022
View reviewed changes
Copy link
Contributor

@gruebel gruebel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

noice 🍺

@gruebel gruebel merged commit 2003ad7 into master Nov 13, 2022
@gruebel gruebel deleted the handled-nested-unrendered-vars branch November 13, 2022 17:29
Guo-Bicheng pushed a commit to Guo-Bicheng/checkov that referenced this pull request Nov 14, 2022
@mikeurbanski1 @actions-user
fix(terraform): Handled nested unrendered vars (bridgecrewio#3853)
d230ae9 
* handle nested attributes when checking for unrendered vars

* add dedicated unrendered vars tests

* remove unused var
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rotemavni rotemavni rotemavni approved these changes

@gruebel gruebel gruebel approved these changes

@YaaraVerner YaaraVerner Awaiting requested review from YaaraVerner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@mikeurbanski1 @gruebel @rotemavni