Skip to content

Commit

Permalink
fix(misconf): allow null values only for tf variables (#8112)
Browse files Browse the repository at this point in the history
Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io>
  • Loading branch information
nikpivkin authored Jan 10, 2025
1 parent a0429f7 commit 23dc3a6
Show file tree
Hide file tree
Showing 3 changed files with 40 additions and 2 deletions.
2 changes: 1 addition & 1 deletion pkg/iac/scanners/terraform/parser/load_module.go
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ type ModuleDefinition struct {
}

func (d *ModuleDefinition) inputVars() map[string]cty.Value {
inputs := d.Definition.Values().AsValueMap()
inputs := d.Definition.NullableValues().AsValueMap()
if inputs == nil {
return make(map[string]cty.Value)
}
Expand Down
26 changes: 26 additions & 0 deletions pkg/iac/scanners/terraform/parser/parser_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -2161,3 +2161,29 @@ resource "foo" "this" {
})
}
}

func TestAttrRefToNullVariable(t *testing.T) {
fsys := fstest.MapFS{
"main.tf": &fstest.MapFile{Data: []byte(`variable "name" {
type = string
default = null
}
resource "aws_s3_bucket" "example" {
bucket = var.name
}`)},
}

parser := New(fsys, "", OptionStopOnHCLError(true))

require.NoError(t, parser.ParseFS(context.TODO(), "."))

_, err := parser.Load(context.TODO())
require.NoError(t, err)

modules, _, err := parser.EvaluateAll(context.TODO())
require.NoError(t, err)

val := modules.GetResourcesByType("aws_s3_bucket")[0].GetAttribute("bucket").GetRawValue()
assert.Nil(t, val)
}
14 changes: 13 additions & 1 deletion pkg/iac/terraform/block.go
Original file line number Diff line number Diff line change
Expand Up @@ -569,13 +569,25 @@ func (b *Block) Attributes() map[string]*Attribute {
return attributes
}

func (b *Block) NullableValues() cty.Value {
return b.values(true)
}

func (b *Block) Values() cty.Value {
return b.values(false)
}

func (b *Block) values(allowNull bool) cty.Value {
values := createPresetValues(b)
for _, attribute := range b.GetAttributes() {
if attribute.Name() == "for_each" {
continue
}
values[attribute.Name()] = attribute.NullableValue()
if allowNull {
values[attribute.Name()] = attribute.NullableValue()
} else {
values[attribute.Name()] = attribute.Value()
}
}
return cty.ObjectVal(postProcessValues(b, values))
}
Expand Down

0 comments on commit 23dc3a6

Please sign in to comment.