Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feat/resolve single depth references #8

Merged
merged 3 commits into from
Feb 28, 2022
Merged

Feat/resolve single depth references #8

merged 3 commits into from
Feb 28, 2022

Conversation

p0tr3c
Copy link
Contributor

@p0tr3c p0tr3c commented Feb 16, 2022
edited
Loading

What

Introduce single depth of reference resolution in plan parsing.

Terraform plan cannot resolve all dependencies before apply stage. The unresolved items can still be useful however. We are currently using these references to link resources together in Rego.

Why

Mainly to solve the problem of terraform AWS provider v4.0.0 which introduced breaking changes to s3 bucket.

The reference structure in terraform is actually quite complex. This PR only does basic dereferencing for purposes of allowing us to link resources on first depth attributes. This is good enough to link related S3 resources together.

Review

Given TF plan included in the PR, the parser would produce following output

{
        "data": {},
        "resource": {
                "aws_s3_bucket": {
                        "denied": {
                                "bucket": "denied",
                                "bucket_prefix": null,
                                "force_destroy": false,
                                "tags": null
                        },
                        "duh": {
                                "bucket": "duh",
                                "bucket_prefix": null,
                                "force_destroy": false,
                                "tags": null
                        },
                        "logging2": {
                                "bucket": "logging2",
                                "bucket_prefix": null,
                                "force_destroy": false,
                                "tags": null
                        }
                },
                "aws_s3_bucket_logging": {
                        "example": {
                                "expected_bucket_owner": null,
                                "target_grant": [],
                                "target_prefix": "log/"
                        },
                        "example2": {
                                "expected_bucket_owner": null,
                                "target_grant": [],
                                "target_prefix": "log/"
                        }
                }
        }
}

The produced output does not have any information which allows us to link aws_s3_bucket_logging.example to aws_s3_bucket.logging2.

After the change the output looks like this file

You can see that now the aws_s3_bucket_logging.example contains bucket attribute which points to aws_s3_bucket.logging2

Testing

You can build the snyk-iac-rules with this branch. Run following to use this branch in your local build

go get github.com/snyk/snyk-iac-parsers@9fa1b8244d81efcbd135e7109be59bb6f8ffeec6

@p0tr3c p0tr3c requested a review from a team as a code owner February 16, 2022 18:45
@p0tr3c p0tr3c requested a review from YairZ101 February 16, 2022 18:45
@CLAassistant
Copy link

CLAassistant commented Feb 16, 2022
edited
Loading

CLA assistant check
All committers have signed the CLA.

p15r
p15r approved these changes Feb 18, 2022
View reviewed changes
Copy link

@p15r p15r left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔥

@YairZ101 YairZ101 removed their request for review February 23, 2022 10:20
@teodora-sandu teodora-sandu mentioned this pull request Feb 23, 2022
Merged
1 task
@teodora-sandu
Copy link
Contributor

@p0tr3c Are you waiting on something to merge this PR? The CLI PR is ready to merge too so let me know whenever you're happy with me merging it

@p0tr3c
Copy link
Contributor Author

p0tr3c commented Feb 28, 2022

Lets merge it!

@p0tr3c p0tr3c merged commit a4bba79 into main Feb 28, 2022
@p0tr3c p0tr3c deleted the feat/resolve-single-depth-references branch February 28, 2022 09:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@p15r p15r p15r approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@p0tr3c @CLAassistant @teodora-sandu @p15r