Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Terraform - variable rendering of a string variable passed to a function changes it to a non string

See original GitHub issue

Describe the issue I have written a custom check which looks for the tag keys and values. when running checkov with the --evaluate-variable as true the check fails due to not being able to determine the value of a local value. The check works if the value of the tag is not a variable or defined in locals

I expect checkov to evaluate the lookup(local.BackupPlan, var.env) to the value depending on the result of the local lookup.

Examples Custom Check

---
metadata:
  name: "Check that all resources are tagged with the key - BackupPlan and have a valid value"
  id: "CKV2_AWS_IT_BR_C2_001"
  category: "CMP_IT_CONTROLS"
scope:
  provider: aws
definition:
  and:
    - cond_type: "attribute"
      resource_types:
      - "aws_s3_bucket"
      - "aws_docdb_cluster"
      - "aws_dynamodb_table"
      - "aws_efs_file_system"
      - "aws_rds_cluster"
      - "aws_rds_cluster_instance"
      attribute: "tags.BackupPlan"
      operator: "equals"
      value: "Daily5"
    - or:
        - cond_type: "attribute"
          resource_types:
          - "aws_s3_bucket"
          attribute: "tags.BackupPlan"
          operator: "equals"
          value: "Daily15"
        - cond_type: "attribute"
          resource_types:
          - "aws_s3_bucket"
          attribute: "tags.BackupPlan"
          operator: "equals"
          value: "Daily35"

S3 Bucket resource

resource "aws_s3_bucket" "artifacts" {
  bucket = "${var.prefix}-artifacts-${var.env}"
  count  = var.env == "shared" ? 1 : 0
  tags = {
    Name                  = "${var.prefix}-artifacts-${var.env}"
    team                  = var.prefix
    "PII Relevant"        = "NULL"
    "BackupPlan"      = lookup(local.BackupPlan, var.env)
    }
}

Locals

  BackupPlan = {
    dev     = "Daily5"
    preprod = "Daily15"
    prod    = "Daily35"
    shared  = "Daily35"
  }
}

Failure

Check: CKV2_AWS_IT_BR_C2_001: "Check that all resources are tagged with the key - BackupPlan and have a valid value"
	FAILED for resource: aws_s3_bucket.artifacts
	File: /s3_buckets.tf:336-348

		336 | resource "aws_s3_bucket" "artifacts" {
		337 |   bucket = "${var.prefix}-artifacts-${var.env}"
		338 |   count  = var.env == "shared" ? 1 : 0
		339 |   tags = {
		340 |     Name                  = "${var.prefix}-artifacts-${var.env}"
		341 |     team                  = var.prefix
		342 |     "PII Relevant"        = "NULL"
		343 |     "BackupPlan"      = lookup(local.BackupPlan, var.env)
		344 |     }

Version (please complete the following information):

Checkov Version 2.1.236

Additional context Add any other context about the problem here.

Issue Analytics

State:
Created a year ago
Comments:8

Top GitHub Comments

1reaction

gruebelcommented, Oct 6, 2022

I took a look and there are 2 issues, one on your side and one in our code. lets start with yours

your usage of lookup(...) is deprecated since Terraform 0.7, so we will not add support for it https://www.terraform.io/language/functions/lookup

For historical reasons, the default parameter is actually optional. However, omitting default is deprecated since v0.7 because that would then be equivalent to the native index syntax, map[key].

the other issue is harder to fix. I tried it, but it breaks other cases, so nothing which will be done in the next days or probably even weeks, depending on my free time.

0reactions

aniu-droidcommented, Dec 12, 2022

I think this is an issue with this block:

https://github.com/bridgecrewio/checkov/blob/307a33648a148a797d83ec22105bb6892d92cfe7/checkov/terraform/graph_builder/local_graph.py#L264-L272

Checkov assumes that the tfvars files are in the same directory as the variable blocks and doesn’t appear to respect the --var-file argument. I tested this locally by deleting this condition and my checks began passing:

https://github.com/bridgecrewio/checkov/blob/307a33648a148a797d83ec22105bb6892d92cfe7/checkov/terraform/graph_builder/local_graph.py#L269

Is there any way we can have Checkov use the directories of any of the arguments passed to --var-files in addition to the current directory?

I was able to get my failing policy to pass by putting my tfvars file in the same directory as my variables blocks.

Top Results From Across the Web

why is terraform so broken? Any workarounds? - Google Groups

There's the jsonencode() function, which will apparently correctly render a compound structure (not that I've tested it), but there's no tool for manipulating ......

Input Variables - Configuration Language | Terraform

Input variables allow you to customize modules without altering their source code. Learn how to declare, define, and reference variables in configurations.

template_file | Data Sources | hashicorp/template

The template_file data source renders a template from a template string, ... In Terraform 0.12 and later, the templatefile function offers a built-in ......

Interpolation Syntax - Koding

Embedded within strings in Terraform, whether you're using the Terraform syntax or JSON syntax, you can interpolate other values. These interpolations are ...

Terraform tips & tricks: loops, if-statements, and gotchas

The username is passed into this module as an input variable: variable "user_name" { description = "The user name to use" type =...