Module based aws_alb resource not recognized

[anthonycolon25]

Description :
I have a TF template which calls an ALB module. My tests should check that tags required for aws_alb resources (in addition to other required tags). These steps are being skipped stating it did not find any aws_alb resources.

To Reproduce

1. I am using terraform-compliance version 1.1.15

Feature: Resources should be properly tagged
  In order to keep track of resource ownership
  As engineers
  We'll enforce tagging on all resources

# Check required tag for ALB and CF
  Scenario: Ensure that waf_policy for ALB/CF tag is defined
    Given I have aws_alb resource defined
    When it contains tags
    Then it must contain waf_policy
    And its value must match the "^(internal|external|custom)$" regex

  Scenario: Ensure that waf_custom for ALB/CF tag is defined
    Given I have aws_alb resource defined
    When it contains tags
    Then it must contain waf_custom

Output:

 Scenario: Ensure that waf_policy for ALB/CF tag is defined
	* SKIPPING: Can not find aws_alb resource defined in target terraform plan.
        Given I have aws_alb resource defined
        When it contains tags
        Then it must contain waf_policy
        And its value must match the "^(internal|external|custom)$" regex

    Scenario: Ensure that waf_custom for ALB/CF tag is defined
	* SKIPPING: Can not find aws_alb resource defined in target terraform plan.
        Given I have aws_alb resource defined
        When it contains tags
        Then it must contain waf_custom

I am attaching my plan.json
plan.out.json.txt

[anthonycolon25]

Hi @eerkunt,

Hope you are doing well. Any ideas on this one?

[eerkunt]

Having a look on this right now.

[eerkunt]

This is a weird problem, still couldn't fix this. I am taking a day off from work tomorrow and will focus on terraform-compliance.

Hoping to fix it tomorrow release(s)

[eerkunt]

Hi @anthonycolon25,

Looks like I was quite confused on this one :)

The sentence on GIVEN step is wrong.

Instead of ;

Given I have aws_alb resource defined

if you change this to ;

Given I have aws_alb defined

or

Given I have aws_alb resource configured

It should work :)

[anthonycolon25]

So sorry for that. I should have noticed that as well.

I changed the two scenarios above to

Given I have aws_alb defined

It now seems to find the aws_alb resource. It is correctly passing the first test but failing on the second. I do have a "waf_custom" property set to a value of "". If I set a non-empty value for "waf_custom" then the test passes.

I would think the following test would pass with an empty string, right?

Then it must contain waf_custom

Does that just check for the tag existence or both existence and non-empty value?

In my use-case, waf_custom would only have a value if waf_policy is set to "custom". Otherwise it would be just an empty string but the waf_custom tag is required for aws_alb.

I am using terraform-compliance version 1.1.15

[eerkunt]

It won't check a non-empty value. It will check if that key exists.

Sounds like waf_custom is not even initialised, thus key doesn't exist on an empty value.

Couldn't exactly understood the details of your use case, but sounds like you need filtering with ;

When its waf_custom is <something>

and then execute additional operations.

[anthonycolon25]

I'll give that a try. Just to clarify the use case a bit more.

• We have several required tags for all taggable resources (10 tags)
• For alb resources there are two additional required tags (waf_policy and waf_custom)
• Possible values for waf_policy are "internal", "external" and "custom".
• If the waf_policy is set to "internal" or "external" then the value for waf_custom is not really relevant. Most people just leave it as the default of ""
• If the waf_policy is set to "custom", then waf_custom must hold the name/ID of the waf policy assigned.

I hope this helps clarify.

[anthonycolon25]

I looked at the plan.out.json and I see that "waf_custom" key does exist in the tags with an empty value.

I also looked into your recommendation above but that seems to only check the value when its non-empty. It doesn't really help just check for key existence.

[eerkunt]

Hi @anthonycolon25 ,

I think you can utilise preconditions for achieving what you want.

For e.g. ;

Scenario: Precondition check for waf_policy value
        Given I have aws_alb defined
        When it has tags
        Then it must contain tags
        And it must contain waf_policy
        When its waf_policy is custom

    @precondition(test.feature: Precondition check for waf_policy value)
    Scenario: Ensure waf_custom is set to name/ID of the waf policy
        Given I have aws_alb defined
        When it has tags
        Then it must contain tags
        And it must contain waf_custom
        And its value must match the "ABC" regex

which the execution will look like ;

Scenario: Precondition check for waf_policy value
        Given I have aws_alb defined
        When it has tags
        Then it must contain tags
        And it must contain waf_policy
        When its waf_policy is internal

    @precondition(test.feature: Precondition check for waf_policy value)
    Scenario: Ensure waf_custom is set to name/ID of the waf policy
        Given I have aws_alb defined
        When it has tags
        Then it must contain tags
        And it must contain waf_policy
        When its waf_policy is internal
        Given I have aws_alb defined
        When it has tags
        Then it must contain tags
        And it must contain waf_custom
		Failure: waf_custom property in module.alb.aws_alb.alb resource does not match with ABC case insensitive regex. It is set to .
		Failure: waf_custom property in module.alb.aws_alb.alb resource does not match with ABC case insensitive regex. It is set to .
		Failure: waf_custom property in module.alb.aws_alb.alb resource does not match with ABC case insensitive regex. It is set to .
        And its value must match the "ABC" regex

Let me know if this will fix your issue.

[Kudbettin]

In addition to @eerkunt's response, could you have a try with 1.2.5?

Your original features should pass now.

[anthonycolon25]

I have tested with 1.2.5 and the original feature now passes. Thank you, @Kudbettin and @eerkunt .

[eerkunt]

Thanks @anthonycolon25 for re-testing it 🎉

Closing the issue as its solved. Please do not hesitate to create a new one if the problem (or a similar one) occurs.

[ghost]

This issue's conversation is now locked. If you want to continue this discussion please open a new issue.