Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Terraform 12 string interpolation within heredocs break entire doc #154

Open
milldr opened this issue Mar 5, 2020 · 5 comments
Open

Terraform 12 string interpolation within heredocs break entire doc #154

milldr opened this issue Mar 5, 2020 · 5 comments
Labels
bug Something isn't working

Comments

@milldr
Copy link
Contributor

milldr commented Mar 5, 2020
edited by twellspring

If a heredoc for a policy or alike has string interpolation, it will resolve to be null. Removing the variable will behave as expected.

When a policy has a string interpolation in it, config-lint always returns an OK.

Example:

resource "aws_sqs_queue_policy" "policy_version_set_incorrectly" {
  queue_url = aws_sqs_queue.test_queue.id

  policy = <<EOF
{
  "Version": "2008-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "sqs:SendMessage",
      "Resource": "${aws_sqs_queue.test_queue.arn}"
    }
  ]
}
EOF
}

resolves to:

  {
    "ID": "policy_version_set_incorrectly",
    "Type": "aws_sqs_queue_policy",
    "Category": "resource",
    "Properties": {
      "policy": null,
      "queue_url": "UNDEFINED"
    },
    "Filename": "testdata/builtin/terraform12/aws/sqs_queue_policy/policy_version.tf",
    "LineNumber": 25
  }

Change "Resource": "${aws_sqs_queue.test_queue.arn}" to "Resource": "#{aws_sqs_queue.test_queue.arn}" and now the resource (correctly) resolves to

  {
    "ID": "policy_version_set_incorrectly",
    "Type": "aws_sqs_queue_policy",
    "Category": "resource",
    "Properties": {
      "policy": {
        "Statement": [
          {
            "Action": "sqs:SendMessage",
            "Effect": "Allow",
            "Resource": "#{aws_sqs_queue.test_queue.arn}"
          }
        ],
        "Version": "2008-10-17"
      },
      "queue_url": "UNDEFINED"
    },
    "Filename": "testdata/builtin/terraform12/aws/sqs_queue_policy/policy_version.tf",
    "LineNumber": 25
  }
@milldr milldr self-assigned this Mar 5, 2020
@milldr milldr added the bug Something isn't working label Mar 5, 2020
milldr added a commit that referenced this issue Mar 5, 2020
@milldr
added workaround for #154 with mocking arn for resource
076ee43
@milldr milldr closed this as completed Mar 5, 2020
@milldr
Copy link
Contributor Author

milldr commented Mar 5, 2020

reopening this. the bug isnt resolved, but instead we found a workaround for our use case. will come back to this after higher priority items.

@milldr milldr reopened this Mar 5, 2020
@milldr
Copy link
Contributor Author

milldr commented Mar 5, 2020

for reference, the mentioned workaround is for #113

@kmonihen kmonihen self-assigned this Apr 17, 2020
@kmonihen
Copy link
Contributor

I dug into this a little and found that variables that are determined after a deploy (like aws_sqs_queue.test_queue.arn) cause the entire JSON block to be "undefined"/nil.

Ideally we'd want these variables to resolve as "UNDEFINED", or even better the variable name could be kept in place so the name could be used for matching in rules.

@twellspring
Copy link
Contributor

twellspring commented Jun 25, 2020
edited

If there is a string interpolation in the Resource definition, the test always returns an OK.

@twellspring
Copy link
Contributor

Found a customer rule that is specifically looking to see if a particular parameter contains a variable. So hopefully we can fix this such that it still sees the variable,

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@twellspring @milldr @kmonihen