Possible bug in And its key does not include value

[vrbcntrl]

Description :
A possible bug in And its key does not include value step causing the step to SKIP even when the value is found

To Reproduce

1. <Either a sample terraform code, or your terraform plan file if it doesn't have any confidential information>

resource "aws_s3_bucket" "bucket" {
  bucket = "mybucket"

  grant {
    id          = "current_user_id"
    type        = "CanonicalUser"
    permissions = ["FULL_CONTROL"]
  }

  grant {
    type        = "Group"
    permissions = ["READ", "WRITE"]
    uri         = "http://acs.amazonaws.com/groups/s3/LogDelivery"
  }
}

2. <Used terraform-compliance parameters>
   terraform-compliance -t C:\Softwares\cloud\Terraform\0.12.24\terraform.exe -p C:\TF_Templates\plan.json -f C:\TC_Rules

Python package
4.

5. <Your feature/scenario/steps>

Scenario Outline: Ensure S3 Bucket's ACL grant does not include write permissions, test2
		Given I have aws_s3_bucket defined
		When it has grant
		And its permissions does not include <value>
Examples:
| value           |
| WRITE           |
| WRITE_ACP       |
| FULL_CONTROL    |

Expected behavior :
The Scenario should FAIL

Tested versions :

• <terraform-compliance version (terraform-compliance -v)>
  terraform-compliance v1.2.3
• <terraform version (terraform -v)>

Terraform v0.12.24
+ provider.aws v2.64.0

• <python runtime version, if running as a python package (python --version)>
  Python 3.8.2
  Additional context

If I rewrite the Scenario as shown below, it is working as expected

Scenario: Ensure S3 Bucket's ACL grant does not include write permissions, test1
		Given I have aws_s3_bucket defined
		When it has grant
		Then it must contain permissions
		And its value must not match the "(^WRITE$)|(^WRITE_ACP$)|(^FULL_CONTROL$)" regex

Output:

I have also attached the plan json for your reference

plan.json.txt

[Kudbettin]

I think the issue with the first feature stems from not drilling down enough.

• When filters
• Then drills down

Given I have aws_s3_bucket defined
When it has grant
And "its" permissions does not include <value>

The problem here is that "its" still refers to aws_s3_bucket and not grant, since you haven't drilled down yet. Thus, terraform-compliance can't find permissions at all since it's looking into the wrong place.

This was probably not the first thing to think about, as the error message is not relevant to the issue at all. That's going to be fixed soon.

The fix could look something like this:

Feature: Feature for issue 284
	In order to something
	As engineers
	We'll enforce something else

	Scenario Outline: Ensure S3 Bucket's ACL grant does not include write permissions, test2
		Given I have aws_s3_bucket defined
		When it has grant
		Then it must contain grant
		Then it must have permissions
		And its value must not contain <value>
	Examples:
	| value           |
	| WRITE_ACP       |
	| WRITE           |
	| FULL_CONTROL    |
	| some_bad_value  |

Here we drill down to grant, but still not fail the test if the resource does not have one. (when into then)

[vrbcntrl]

Hi @Kudbettin ,

Thanks for your response, the above test is working as expected.

[ghost]

This issue's conversation is now locked. If you want to continue this discussion please open a new issue.

[Kudbettin]

Hi @vrbcntrl,

Your original features should now produce better feedback on release 1.2.5