You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Description :
When running a test against a resource with multiple occurrences in a terraform file the failing resource will be identified with the name of the first resource of the type, although the failure occurs in a resource with a different name.
In my case I would like to do some checks on Network Load Balancers with several Listeners configured. The test is to only allow TCP or TLS listeners. The example Terraform has 3 listeners. 1. TCP listener (which should not fail), 2. UDP listener which should fail and 3. TCP_UDP listener which should fail. As I understand it will only show the first failure which in this case is the UDP listener. The error identifies the correct reason for failure but shows the name of the first Listener as the offending resource which is not correct.
To Reproduce
Here the terraform code with all supporting resources
provider"aws" {
region="eu-west-1"profile="cr-mmerck"
}
# ----------------------------------------------------------------# Data sources# ----------------------------------------------------------------# ----------------------------------------------------------------# Helper Resources needed to provision some of the test Resources# ----------------------------------------------------------------resource"aws_vpc""test-vpc" {
cidr_block="10.0.0.0/16"tags={
Name ="TestVPC Compliant checks"
}
}
resource"aws_internet_gateway""test-igw" {
vpc_id="${aws_vpc.test-vpc.id}"tags={
Name ="Test VPC IGW"
}
}
resource"aws_subnet""test-subnet-pubA" {
vpc_id="${aws_vpc.test-vpc.id}"cidr_block="10.0.0.0/24"tags={
Name ="Public Subnet A Compliant checks"
}
}
resource"aws_subnet""test-subnet-pubB" {
vpc_id="${aws_vpc.test-vpc.id}"cidr_block="10.0.1.0/24"tags={
Name ="Public Subnet B Subnet Compliant checks"
}
}
resource"aws_subnet""test-subnet-privA" {
vpc_id="${aws_vpc.test-vpc.id}"cidr_block="10.0.10.0/24"tags={
Name ="Private Subnet A Subnet Compliant checks"
}
}
resource"aws_subnet""test-subnet-privB" {
vpc_id="${aws_vpc.test-vpc.id}"cidr_block="10.0.11.0/24"tags={
Name ="Private Subnet B Compliant checks"
}
}
resource"aws_route_table""test-pub-rtb" {
vpc_id="${aws_vpc.test-vpc.id}"route {
cidr_block="0.0.0.0/0"gateway_id="${aws_internet_gateway.test-igw.id}"
}
tags={
Name ="Test VPC Public Route Table"
}
}
resource"aws_route_table_association""test-pubA-rtb-assoc" {
subnet_id="${aws_subnet.test-subnet-pubA.id}"route_table_id="${aws_route_table.test-pub-rtb.id}"
}
resource"aws_route_table_association""test-pubB-rtb-assoc" {
subnet_id="${aws_subnet.test-subnet-pubB.id}"route_table_id="${aws_route_table.test-pub-rtb.id}"
}
# ----------------------------------------------------------------# Compliant# ----------------------------------------------------------------# Create Loadbalancer with listener on port 443 and redirect on port 80 to 8080# [1] Security Groupresource"aws_security_group""sg-loadBalancer-noncompliant" {
name="sg-loadBalancer-noncompliant"description="Allow HTTP/HTTPS inbound traffic"vpc_id="${aws_vpc.test-vpc.id}"ingress {
# HTTP (change to whatever ports you need)from_port=80to_port=80protocol="tcp"cidr_blocks=["0.0.0.0/0"]
}
ingress {
# HTTPSfrom_port=443to_port=443protocol="tcp"cidr_blocks=["0.0.0.0/0"]
}
egress {
from_port=0to_port=0protocol="-1"cidr_blocks=["0.0.0.0/0"]
}
}
# Network LoadBalancerresource"aws_lb""nlb-noncompliant" {
name="nlb-noncompliant"internal=falseload_balancer_type="network"security_groups=["${aws_security_group.sg-loadBalancer-noncompliant.id}"]
subnets=["${aws_subnet.test-subnet-pubA.id}",
"${aws_subnet.test-subnet-pubB.id}"]
}
# [1] Listener on TCP on port other then 443resource"aws_lb_listener""tcp-listener-noncompliant" {
load_balancer_arn="${aws_lb.nlb-noncompliant.arn}"port="80"protocol="TCP"default_action {
type="fixed-response"fixed_response {
content_type="text/plain"message_body="HEALTHY"status_code="200"
}
}
}
# [2] Listener on UDPresource"aws_lb_listener""udp-listener-noncompliant" {
load_balancer_arn="${aws_lb.nlb-noncompliant.arn}"port="1443"protocol="UDP"default_action {
type="fixed-response"fixed_response {
content_type="text/plain"message_body="HEALTHY"status_code="200"
}
}
}
# [3] Listener on TCP_UDPresource"aws_lb_listener""tcpudp-listener-noncompliant" {
load_balancer_arn="${aws_lb.nlb-noncompliant.arn}"port="53"protocol="TCP_UDP"default_action {
type="fixed-response"fixed_response {
content_type="text/plain"message_body="HEALTHY"status_code="200"
}
}
}
Used python package
4.
Scenario: Only allow TLS and TCP protocols on NLBs
Given I have aws_lb_listener resource configured
When it contain protocol
Then its value must not match the ".(UDP|udp)$" regex
Failure: protocol property in aws_lb_listener.tcp-listener-noncompliant resource matches with .(UDP|udp)$ regex. It is set to TCP_UDP.
<Your feature/scenario/steps>
Scenario: Only allow TLS and TCP protocols on NLBsGiven I have aws_lb_listener resource configured
When it contain protocol
Then its value must not match the ".*(UDP|udp)$" regex
Expected behavior :
The error message should be:
Failure: protocol property in aws_lb_listener.tcpudp-listener-noncompliant resource matches with .*(UDP|udp)$ regex. It is set to TCP_UDP. Tested versions :
<terraform-compliance version (terraform-compliance -v)> 1.0.51
<terraform version (terraform -v)> Terraform v0.12.12
<python runtime version, if running as a python package (python --version)> Python 3.7.4
Additional context
Add any other context about the problem here.
The text was updated successfully, but these errors were encountered:
Yes, this was a bug within one of the internal functions that returns the resource name on the failure of that specific step. The problem is fixed on #175, it will be released soon.
Description :
When running a test against a resource with multiple occurrences in a terraform file the failing resource will be identified with the name of the first resource of the type, although the failure occurs in a resource with a different name.
In my case I would like to do some checks on Network Load Balancers with several Listeners configured. The test is to only allow TCP or TLS listeners. The example Terraform has 3 listeners. 1. TCP listener (which should not fail), 2. UDP listener which should fail and 3. TCP_UDP listener which should fail. As I understand it will only show the first failure which in this case is the UDP listener. The error identifies the correct reason for failure but shows the name of the first Listener as the offending resource which is not correct.
To Reproduce
terraform-compliance
parameters>terraform-compliance -f features/ -p tf/out.plan
Used python package
4.
Scenario: Only allow TLS and TCP protocols on NLBs
Given I have aws_lb_listener resource configured
When it contain protocol
Then its value must not match the ".(UDP|udp)$" regex
Failure: protocol property in aws_lb_listener.tcp-listener-noncompliant resource matches with .(UDP|udp)$ regex. It is set to TCP_UDP.
Expected behavior :
The error message should be:
Failure: protocol property in aws_lb_listener.tcpudp-listener-noncompliant resource matches with .*(UDP|udp)$ regex. It is set to TCP_UDP.
Tested versions :
terraform-compliance -v
)> 1.0.51terraform -v
)> Terraform v0.12.12python --version
)> Python 3.7.4Additional context
Add any other context about the problem here.
The text was updated successfully, but these errors were encountered: